🔒 Security & Trust

Built for security teams who actually read the docs.

CockpitCopilot is a Chrome extension that reads call transcripts and generates Gainsight-ready output. Here's exactly how it handles your data, what permissions it requests, and why.

📄 Download security one-pager (PDF)

We respond to security review requests within 48 hours.

Data Flow

Three surfaces, three data flows. That's the whole system.

Outbound trip

Your call recorder (Gong native; Fireflies, Supernormal, Fathom, Chorus, Otter.ai, Zoom via manual paste)

│ transcript only — no audio, no video

↓

Your Chrome extension (local, in-browser)

│ the ONLY thing that leaves your browser

↓

api.anthropic.com (Claude AI)

│ returns structured JSON

↓

Side panel in your browser

│ you review, edit, copy

↓

Gainsight DOM (autofill via active browser session for CTAs/Activities, no API credential, live now)

Gainsight API (Success Plans and Milestones, when your admin connects)

Transcripts never land on any CockpitCopilot server. Gainsight session cookies are never read or stored. There is no analytics or telemetry pipeline.

What we store

Locally only. On your machine.

Your settings

Org config, recorder preference, name + role. Stored in chrome.storage.local. Never synced anywhere.

Your auth token

Issued by our backend after sign-in. Used to authenticate API calls. Lives in chrome.storage.local.

Recent call history (titles + dates)

So you can re-open past results without re-running. Local cache only.

Server-side API key

The Anthropic API key lives on our server as an env var. Never exposed to the extension or your browser.

Web search (Pro/Team)

On Pro and Team, Claude's built-in web search tool researches the customer's company for news and strategic insights. Cached by Anthropic, not by us.

What we do NOT store

Anywhere. Ever.

Call transcripts

The transcript is sent to Anthropic and discarded. Not on our server. Not in our database. Not in our logs.

Gainsight session cookies

The extension cannot read or transmit Gainsight credentials. We only read the URL and page title to detect that you're on Gainsight.

CRM data

Account names, contact info, deal values — none of it is captured or stored by CockpitCopilot.

Training on your data

Anthropic does not train on API traffic. We do not train or fine-tune on your transcripts. Full stop.

Analytics or tracking

Zero third-party trackers. No Segment, no Mixpanel, no Google Analytics in the extension.

Chrome Extension Permissions

Every permission, with a plain-English reason.

Most extensions never explain their permissions. Here's exactly what we request and why — plus what we deliberately do not.

storage

Save your settings, auth token, and recent call list locally in chrome.storage.local.

tabs

Find the active Gong tab so we know which transcript to read. (Other recorders use manual paste — no tab access needed.)

debugger

Read transcript text from your call recorder via Chrome DevTools Protocol — required because Gong renders transcripts inside a Shadow DOM with lazy loading that blocks normal DOM access.

Chrome will show a yellow banner at the top of your call recorder tab when this is active. That's expected. The permission is detached the moment we finish reading. It is never used on Gainsight or any other site.

sidePanel

Render the CockpitCopilot side panel that stays open while you work.

identity

Google Calendar OAuth — only if you opt in to the Today tab pre-call briefs.

Optional. Skipping it disables the Today tab; everything else still works.

What we do NOT request

webRequest · scripting · activeTab · identity (unless you enable Calendar) · <all_urls> host permission

Host permissions are scoped to the four recorder domains plus api.anthropic.com only. Nothing else.

Note for IT teams that block debugger extensions

The debugger permission is used only for transcript reading from your call recorder — never on Gainsight. Copy mode works fine even if your IT policy blocks debugger usage on Gainsight; the copy-paste flow doesn't require it. If your policy is a blanket block on all debugger-using extensions, contact us — there's a future Manifest V3 declarativeNetRequest path we can prioritize for your team.

Internal Security Audit

12 of 12 checks pass.

Every release is run through this checklist before shipping. Source code is available under NDA for security teams that want to audit independently.

#	Check	Result	Notes
1	Permissions	✓ Pass	Scoped to 4 recorder domains + api.anthropic.com only
2	Data flow	✓ Pass	Transcript → Anthropic only. Nothing to CockpitCopilot servers
3	Content Security Policy	✓ Pass	No unsafe-eval, no unsafe-inline. Explicit allowlist
4	Auth token storage	✓ Pass	chrome.storage.local. Never sent to third parties
5	CDP usage	✓ Pass	Transcript scraping only. Detaches cleanly after every operation
6	Network requests	✓ Pass	Single outbound: api.anthropic.com. Zero analytics or tracking
7	Content scripts	✓ Pass	Reads URL and page title only. Sends nothing externally
8	XSS prevention	✓ Pass	esc() helper used consistently. No innerHTML with user data
9	API payload safety	✓ Pass	Payload constructed safely. Transcript content stays out of API paths
10	Logs	✓ Pass	Zero console.log statements in production. Verified by grep
11	Third-party code	✓ Pass	Zero external runtime dependencies. No CDN resources
12	Extension hardening	✓ Pass	Sender validation, no externally_connectable, scoped CSP

Compliance Posture

Honest about where we are.

SOC 2 Type I

In progress. Targeting Q3 2026. Not overclaiming — happy to walk security teams through our current controls.

Chrome Web Store

Verified developer. Every release goes through Google's automated and manual review.

Source code review

Available under NDA for enterprise security teams. Email .

Data Processing Addendum

Available on request for Team-tier customers. Standard SCCs included.

Hard Boundaries

What CockpitCopilot deliberately cannot do.

✕Read passwords or vault data from any password manager.
✕Access password manager extensions or apps. They are isolated by Chrome's permission model.
✕Make network requests outside the four recorder domains and api.anthropic.com.
✕Store transcripts on any CockpitCopilot server.
✕Operate when the user is not actively signed in.
✕Access tabs the user has not explicitly opened.
✕Execute arbitrary code — no eval, no unsafe-inline, strict CSP.

Enterprise readiness

The procurement bar most large companies hold their tools to. Honestly listed.

Some items below are live today. Others ship under Enterprise contracts on a committed timeline. Both sets are listed below — honestly.

Live today

TLS 1.2+ in transit. AES-256 at rest.
No transcript storage. Processed in-memory, discarded.
12-point internal security audit (linked above).
Manifest V3 from day one. No deprecation risk.
Right to data export and deletion within 30 days of request.
Sub-processors list kept current.
Vulnerability disclosure policy with safe-harbor.
Chrome Enterprise deployment guide for IT-managed fleets.

Available on Enterprise contracts

SAML 2.0 SSO — Okta, Microsoft Entra, Google Workspace, OneLogin, PingIdentity.
SCIM 2.0 user provisioning — Okta, Microsoft Entra, Google Workspace.
Admin audit logs with CSV export.
Annual billing, purchase orders, NET-30/60 payment terms.
Custom MSA negotiable. DPA on file.
EU data residency.
30-day evaluation period for IT/security review.

Compliance posture

SOC 2 Type II audit prep underway. Type I report available under NDA.
SIG-Lite and CAIQ-Lite vendor questionnaire responses available under NDA.
Annual third-party penetration testing.
Sub-processor changes communicated to admin contacts at least 30 days in advance.

For IT and security teams: response within 48 hours. Most vendor questionnaires already answered. Request the prepared response packet through .

Security Review

Bring your security team. We respond fast.

Have a vendor security questionnaire? Need to walk through the data flow with your CISO? Want source code under NDA? We answer all three within 48 hours and we don't try to send a salesperson first.

📄 Download security one-pager (PDF)

Last reviewed and updated April 25, 2026 · Version 2.0