Your data. protected.
Choco is built for foodservice distributors and manufacturers who need a secure, reliable platform. Here is how we protect your business and your data.
SOC 2 Compliance
Built to meet your procurement standards.
Choco's SOC 2 compliance covers three Trust Services Criteria: Security, Availability, and Confidentiality — independently verified by a third-party auditor.
Covers Security, Availability, and Confidentiality criteria with independent auditor opinion and management assertions.
Lawful basis, data minimisation, purpose limitation, and data subject rights — including deletion — are embedded into our operational practices. Standard Contractual Clauses (SCCs) or similar transfer mechanisms in place for data transfers to processors based outside of EU.
Information Security Policy is reviewed annually and updated to reflect changes in technology and risk. All employees formally acknowledge security policies.
Security, confidentiality, and data protection obligations are documented in Choco's Master Service Agreement (MSA), Terms of Service, and DPA.
Data protection
How we protect your data.
Choco does not sell customer data. We implement technical and organisational measures to protect customer personal and business data at every stage of its lifecycle.
All customer data is hosted on Amazon Web Services (AWS). Data does not leave approved regions without explicit authorisation and appropriate safeguards.
We only collect and process what is necessary to operate your platform. Purpose limitation and minimisation govern every decision about what data we handle.
Data is retained only as long as necessary for defined business purposes. Deletions are handled through a verified, documented process to prevent unintended data loss.
Infrastructure & Hosting
Enterprise-grade infrastructure on AWS.
Choco's production systems run on Amazon Web Services within private, restricted environments designed for reliability, isolation, and security.
All production infrastructure runs on AWS, satisfying GDPR data residency requirements.
All production infrastructure runs within private, VPC-restricted environments. Network access is controlled via security groups and is not exposed to the public internet.
All code and infrastructure changes go through a mandatory peer review process before deployment. Changes are deployed via automated pipelines, reducing the risk of manual error.
Automated scanning tools check for known vulnerabilities in dependencies and infrastructure as part of every deployment, before changes reach production.
Access is earned, not assumed.
Choco uses Okta as its centralised identity provider, with MFA enforced and least-privilege access as the default across every system.
All internal systems and application access is managed through Okta, providing centralised identity control and a single governance layer across the organisation.
Multi-factor authentication is required for all employees and all administrative access. There are no bypass paths or exemptions.
Access is granted on a least-privilege basis tied strictly to job responsibilities. Critical systems undergo quarterly access reviews to ensure permissions remain appropriate.
When an employee leaves Choco, all access to internal systems and production environments is revoked immediately. Privileged access activity is logged for auditability.
Application Security
Every code and infrastructure change is reviewed by at least one other engineer before deployment.
Dependencies and infrastructure are scanned automatically on every deployment to detect known vulnerabilities before they reach production.
Test and production environments are fully isolated. Production customer data is never used in testing.
Third-party penetration tests of the production environment are conducted at least annually. Findings are tracked and remediated with defined timelines.
Infrastructure and applications are monitored continuously for known vulnerabilities and suspicious activity.
monitoring
Infrastructure and applications are monitored around the clock with alerts routed to an on-call team with defined response procedures.
Application and infrastructure logs are centrally collected and monitored for operational visibility and security investigations.
A documented plan with defined roles, responsibilities, and step-by-step procedures for identifying and resolving security incidents.
In the event of a confirmed incident affecting customer data, Choco will notify affected customers without undue delay, in line with contractual and regulatory obligations.
Every significant incident is followed by a structured review. Root causes are documented and process improvements are actioned.
Legal and documentation
Everything in writing
All security, data protection, and service obligations are documented in Choco's legal agreements.
Our MSA covers service terms, responsibilities, and commitments — including software and service descriptions.
Our DPA sets out how Choco processes personal data on your behalf, including sub-processor obligations, technical and organisational security measures.
Access our full legal library including Terms of Service, Privacy Policy, and Software Descriptions.
READY TO SEE HOW CHOCO PROTECTS
YOUR OPERATIONS?
Whether you are a regional distributor or a national manufacturer, our team can walk you through every control and answer your compliance questions directly.
Found a vulnerability? Tell us.
We take every security report seriously. If you have identified a potential issue in Choco's platform or infrastructure, reach out to our security team directly. We will acknowledge, investigate, and respond promptly.
Contact: security@choco.com