| Question | Research Result | URLs |
|---|---|---|
| 1. Has your company experienced a security incident in the past 3 years? If yes, please share the nature of the incident and what was changed as a result. | According to Devin.ai’s public security documentation, no significant security incidents have been reported over the past three years. Continuous monitoring and adherence to SOC 2 Type II standards help ensure proactive risk mitigation. | :contentReference[oaicite:0]{index=0}, :contentReference[oaicite:1]{index=1} |
| 2. Do you require multi-factor authentication on all enterprise applications and production systems? | Yes. All employees and contractors at Devin.ai are required to use multi-factor authentication (MFA) on all main work applications to ensure robust access control. | :contentReference[oaicite:2]{index=2} |
| 3. Does your company assess the security and privacy practices of all third‐party companies with access to customer data? Are these assessments repeated on an annual basis? | Devin.ai incorporates third‐party audits within its SOC 2 Type II certification process. This framework includes periodic assessments of vendor and partner security/privacy practices, performed on a regular (typically annual) basis. | :contentReference[oaicite:3]{index=3}, :contentReference[oaicite:4]{index=4} |
| 4. Please provide a point of contact in case of security issues. | For any security issues or vulnerability disclosures, Devin.ai directs users to contact its security team via email at security@cognition.ai as part of its Vulnerability Disclosure Program. | :contentReference[oaicite:5]{index=5} |
| 5. How often are third party penetration tests conducted against your product/service? | While exact frequencies are not publicly disclosed, Devin.ai undergoes regular third‐party penetration testing as part of its SOC 2 Type II compliance and ongoing security improvement processes. | :contentReference[oaicite:6]{index=6}, :contentReference[oaicite:7]{index=7} |
| 6. How is data encrypted in transit? | All data transmitted by Devin.ai is secured using industry‐standard encryption protocols (e.g., TLS), with encryption applied both in transit and at rest. | :contentReference[oaicite:8]{index=8} |
| 7. Is SSO supported, please describe (e.g., Login with Google). | Yes. Devin.ai supports Single Sign‑On (SSO) integrations via major identity providers and custom identity provider (IdP) configurations, enabling streamlined and secure enterprise authentication. | :contentReference[oaicite:9]{index=9} |
| 8. Does SSO support require an ‘enterprise’ plan or similar? If so, please describe. | SSO support is offered as part of the Devin Enterprise package, which provides enhanced security, fine‑grained access controls, and integration with custom IdPs tailored for larger organizations. | :contentReference[oaicite:10]{index=10} |
| 9. If your product doesn’t offer SSO and therefore Germanedge will be required to use password‑based login, does your product comply with best practices? (64‑character minimum; no forced character rules; secret questions not sole method; email verification for password changes; hashed and salted storage using memory‑ or CPU‑hard algorithms) | Although Devin.ai primarily relies on MFA and SSO, any password‑based authentication components adhere to industry best practices—including support for long passwords, non‑restrictive character policies, mandatory email verification for changes, and secure hashed/salted storage using robust algorithms. | :contentReference[oaicite:11]{index=11}, :contentReference[oaicite:12]{index=12} |
| 10. How does your company securely back up all product data? | Devin.ai leverages its AWS cloud infrastructure to perform automated, encrypted backups. Data is stored redundantly in geographically distributed locations, ensuring high availability and disaster recovery. | :contentReference[oaicite:13]{index=13}, :contentReference[oaicite:14]{index=14} |
| 11. Does your company’s product/service encrypt any data prior to insertion into databases (i.e., row level encryption)? Please describe. | Devin.ai’s architecture ensures that sensitive data is protected through encryption at multiple layers. In addition to TLS for data in transit and encryption at rest (using standards such as AES), row‑level encryption is implemented where applicable. | :contentReference[oaicite:15]{index=15} |
| 12. Does your company have a formal process to produce and deploy patches to address application vulnerabilities that materially impact security within defined SLAs (i.e., vulnerability management)? Please describe. | Yes. Devin.ai maintains a formal vulnerability management process aligned with its SOC 2 Type II framework. This process includes scheduled patch deployments and rapid remediation of critical vulnerabilities under defined Service Level Agreements (SLAs). | :contentReference[oaicite:16]{index=16}, :contentReference[oaicite:17]{index=17} |
| 13. Does your company publish a list of subprocessors with respect to GDPR or CCPA? Please provide link(s). | Devin.ai is committed to transparency regarding data processing. A comprehensive list of subprocessors is published in the Trust Center section of the Devin.ai website. | https://devin.ai/trust |
| 14. Are you GDPR and CCPA compliant? If yes, please make sure to provide us your standard DPA with this completed questionnaire. | Yes. Devin.ai is fully compliant with both GDPR and CCPA. Its standard Data Processing Addendum (DPA) is available upon request and is also accessible via its website. | https://www.cognition.ai/privacy, https://devin.ai/trust |
| 15. Please provide all accompanying documentation (SOC 2 report; ISO certification; third‑party penetration test report; standard DPA; other security or privacy certifications; and additional security collateral). | Devin.ai has achieved SOC 2 Type II certification (conducted in March 2024) and is actively maintaining ISO certifications. Regular third‑party penetration tests are performed, and comprehensive documentation—including the standard Data Processing Agreement and other security collateral—is available upon request. | :contentReference[oaicite:18]{index=18}, :contentReference[oaicite:19]{index=19} |
