Frequently Asked Questions

Most institutions complete the core platform setup including SSO configuration, organizational hierarchy, and initial data asset import within 4 to 6 weeks. Full certification program operationalization typically takes 3 to 6 months depending on the scope of reports in scope.

CoComply stores metadata about your data assets including names, descriptions, ownership assignments, quality scores, and certification status. CoComply does not store the underlying data itself. All metadata is encrypted at rest and in transit.

Yes. CoComply integrates with Microsoft Purview, Collibra, Alation, and Informatica through standard APIs. Custom integrations are also supported through CoComply's open API. Contact your implementation team for integration configuration guidance.

CoComply supports SAML 2.0 and OIDC for enterprise SSO. Supported identity providers include Microsoft Entra ID, Okta, Ping Identity, and any OIDC-compliant provider. Username and password authentication is available for environments without SSO.

CoComply maintains a pre-built CDE library mapped to MDRM codes across all FFIEC 041 schedules. This library is maintained by CoComply and updated when FFIEC issues instruction changes. Institutions import their specific CDE scope and assign ownership using this library as the starting point.

Yes. CoComply supports filing with documented exceptions. When a CDE fails certification, you can log a structured finding with root cause and remediation plan, mark the CDE as filed with exception, and include the finding in your audit evidence package.

CoComply generates examination evidence packages aligned to OCC examiner request formats. These packages include certification records, policy documentation, issue logs, and governance metrics. The platform also includes an exam readiness module with a structured pre-exam checklist.

Yes. CoComply achieved SOC 2 Type 2 certification covering the period November 2025 through February 2026 with zero exceptions. The audit covered security, availability, and confidentiality trust service criteria.

CoComply is hosted on Microsoft Azure with deployment in US-based regions. The platform uses Azure Kubernetes Service for compute, Azure SQL for structured data, and Azure Blob Storage for document storage. All data remains within the United States.

Each client organization has a dedicated logical data partition with separate encryption keys. CoComply employees cannot access client data without explicit written authorization. All access is logged to an immutable audit trail.

CoComply provides a 99.9 percent uptime SLA for production environments. Planned maintenance windows are scheduled outside of business hours with advance notice. Status updates are available at status.cocomply.ai.

Security issues should be reported to security@cocomply.ai. CoComply maintains a responsible disclosure policy and will acknowledge reports within 24 hours. Critical issues are escalated immediately to the engineering and executive team.