Skip to content

In all areas of our SDLC from the infrastructure to the application, we apply best practices like minimum privileges, separation of roles, and effective monitoring. The Coherence Control Plane itself is hosted on Google Cloud Platform. We have achieved SOC 2 Type II compliance (with Vanta), including:

  • A Risk Assessment
  • Employee eduction and training
  • Information Security Auditing (SOC2 Type I and II, HIPAA)

Coherence operates a program for responsible disclosure. A copy of the SOC 2 report is available upon request and NDA.

Data Access

Coherence has access to 2 important services, your source provider (github, gitlab, bitbucket) and your cloud provider (GCP, AWS, Azure, etc...)

Source Provider Access


On github, we use a github app installed on coherence-enabled repos in order to receive webhooks for push events and create check runs to communicate CI status. We can also support a Personal Access Token (PAT) if you prefer - just shoot us a note to Users OAuth to our github app and receive repo-scoped tokens that Coherence stores and uses to authenticate users automatically for our Workspaces, as well as when submitting builds or creating branches from our UI.

Your source code is accessed by our automated systems in the process of building and deploying your application. Any copies of such source code are only stored while they are being processed (they are deleted at the end of the jobs), and Coherence employees do not have direct access to such copies. Additionally, all job processing is done on ephemeral instances which are routinely replaced and do not have long-lived storage, further reducing the risk of accidental access to your source code. Excepting emergency procedures for bugs or other incidents, Your source code will not be seen by Coherence employees, or stored on Coherence systems (e.g. employee workstations)

Cloud Provider Service Account

You are always in control of what role this account has and can audit or remove access at any time via your cloud provider's IAM tools. This service account is used to manage resources in your cloud account on your behalf, and generates further service accounts for more granular use as/where appropriate. Wherever possible, Coherence uses best practices like Workload Identity to minimize key handling as well as systems such as Cloud KMS to encrypt what keys we do store when at rest.

Excepting emergency procedures for bugs or other incidents, Coherence employees do not have access to act as the service account you grant acceess to. We encourage you to use the auditing tools available in your cloud platform to monitor all of your important systems for unexpected access to production data or configuration.

It's important to note that you can grant access to new "test" accounts in either system when first testing Coherence - you don't need to connect to your current cloud projects and data until you want to use existing databases in those projects.


On GCP, you grant a coherence-managed service account (that we generate uniquely for each application) an "Owner" (or otherwise a custom role which still requires enough permission to manage your account) in your cloud IAM controls.


On AWS, we create an IAM user in an account that we control. This same IAM user is than granted permission, by you, to manage resources on your behalf.

Vendor Risk

We know that Coherence, when used fully, takes on a critical role in your software team. Choosing a vendor that will become a daily part of your engineering workflow is not a decision to be taken lightly. As part of our own diligence into vendors, we think about things the same way.

We break the risk of choosing Coherence as a vendor into 3 parts, and address each part below:

  • Company solvency: will we still be around in X years?
  • Impact radius: if we went away overnight, would your company stop running?
  • Security and privacy risk: is choosing Coherence going to get your company hacked?


Coherence is founded by an experienced team of tech leaders. We are funded by tier-A venture capital firms and a group of accomplished angel investors. We have substantial runway remaining, and strong prospects for continued growth and financing. Each customer we add makes our company stronger, so by using Coherence you're de-risking this part of the choice.

Impact Radius

We have designed our system from the ground-up to remove as much of the risk to your uptime from Coherence's actions as possible. In fact, it's one of the strongest reasons to choose Coherence an alternative such as a Platform-as-a-Service. If we were to vanish overnight with no warning, nothing would happen to your already deployed environments or resources, and your customers would not notice that anything had changed. Ultimately, Coherence sits between your developers and your cloud, not your cloud and your users.

  • Environments without a custom domain, which use a URL, will have a dependency on the DNS systems and domain registration for remaining available. You can apply a custom domain to each environment on a per-environment basis in Coherence, and it's unlikely that a customer-facing environment would use such a domain.

That said, we want to highlight both the gap that our disappearance would create as well as the steps we would plan to take if we did choose to wind down. To state it clearly, we do not intend to disappear with no warning, but rather to work as your partner in the unlikely event that this becomes necessary.

  • The cnc project maes it possible for you to seamlessly migrate off Coherence in the event of our dissolution. It also makes Coherence the least locked-in option among developer platforms in general. With cnc, the core provision/build/deploy logicof Coherence is in an open-source, MIT-licensed, infra-as-code framework that you can customize and run anywhere. All you'd need to do is something like this CI/CD Workflow to get your environments running outside Coherence if you needed to.

Security and Privacy Risk

As outlined in the rest of this document, Coherence takes every commercially reasonable measure to architect our systems for low risk to your data and customers. You always remain in control of our access to your cloud systems, and can audit our activity continuously using systems we do not control. Additionally, you can revoke our access at any time.

Responsible Disclosure

Please report any bugs, vulnerabilities, publicly available/hosted confidential information, or other relevant information to We'd appreciate it if you granted us private notice at that address before any public disclosure.


You agree to two different terms and conditions during your use of Coherence.

  • The Terms of Use and Privacy Policy on govern the information collected on our public marketing site and associated pages.
  • The Trial Use Agreement governs our use of the application at beta | and the information we collect in the course of providing the services to you and your team. You accept these terms when you register your team on our platform. If you have any questions or concerns about the agreement, please reach out to and we'll be happy to discuss them.