Infrastructure
COLA Cloud runs on Amazon Web Services (AWS) with Snowflake as the data warehouse and Cloudflare for CDN, WAF, and DNS. All infrastructure providers maintain SOC 2 Type II certifications.| Property | Detail |
|---|---|
| Compute & storage | AWS (managed compute, managed relational database, object storage) |
| Data warehouse | Snowflake |
| CDN / WAF / DNS | Cloudflare (DDoS protection, bot mitigation, DNSSEC) |
Authentication & Access Control
- Customer authentication: Email/password with secure hashing, or Google OAuth 2.0
- API authentication: Bearer token (API keys), scoped to individual user accounts
- MCP authentication: Bearer token passthrough using customer’s API key
- Internal access: Key-based authentication only; no password-based access to production systems
Data in Transit
All data in transit is encrypted via TLS 1.2 or higher. Unencrypted HTTP requests are redirected to HTTPS. API endpoints enforce HTTPS and reject plaintext connections.Data at Rest
| Component | Encryption |
|---|---|
| Application database | AES-256, managed encryption keys |
| Data warehouse | AES-256, managed by Snowflake |
| Object storage | Server-side encryption, versioning enabled |
| Backups | Encrypted, automated |
Payment Processing
COLA Cloud does not store, process, or have access to customer credit card numbers. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Customer billing is managed entirely through Stripe’s hosted checkout and billing portal.Data Handling
What We Store About Customers
- Account information (name, email)
- Stripe customer ID (for billing)
- API keys (hashed)
- Usage metrics (request counts per billing period)
What We Don’t Store
- Credit card numbers or payment method details (handled by Stripe)
- Customer query content or search history beyond usage counts
Licensed Data
The COLA dataset consists of public government records and proprietary enrichments. It does not contain personal consumer data. Applicant business information (company names, permit numbers, business addresses) originates from the TTB’s public registry.Incident Response
- Breach notification: Customers will be notified within 72 hours of discovering any unauthorized access to their account data
- Post-mortems: Written root cause analysis provided for significant incidents
- Contact: Security concerns can be reported to help@colacloud.us
What We Don’t Have (Yet)
In the interest of transparency:- SOC 2 report — COLA Cloud does not currently hold a SOC 2 certification. Our infrastructure providers (AWS, Snowflake, Stripe, Cloudflare) each maintain their own SOC 2 Type II certifications.
- Penetration testing — No formal third-party penetration test has been conducted.
- Bug bounty program — Not currently offered.
- Business continuity plan — Disaster recovery relies on managed cloud services (automated backups, multi-AZ durability). No formal BCP document exists.
Questions? Contact help@colacloud.us