--- title: Choco Security date: 2026-03-25T15:45:00+01:00 author: Chris Pomfret canonical_url: "https://choco.com/us/security" section: Pages --- Your data. Protected. Choco is built for foodservice distributors and manufacturers who need a secure, reliable platform. Here is how we protect your business and your data. [ Visit Trust Center ](https://trust.choco.com/) ![ - ](/assets/_1xAUTO_crop_center-center_none/457948/Slide-16_9-18-1.jpg) ### SOC 2 Compliance ## Built to meet your procurement standards. Choco's SOC 2 compliance covers three Trust Services Criteria: Security, Availability, and Confidentiality — independently verified by a third-party auditor. version="1.0" encoding="UTF-8"? SOC 2 Compliance Report Covers Security, Availability, and Confidentiality criteria with independent auditor opinion and management assertions. version="1.0" encoding="UTF-8"? GDPR Compliance Lawful basis, data minimization, purpose limitation, and data subject rights — including deletion — are embedded into our operational practices. Standard Contractual Clauses (SCCs) or similar transfer mechanisms in place for data transfers to processors based outside of EU. version="1.0" encoding="UTF-8"? Annual Policy Reviews Information Security Policy is reviewed annually and updated to reflect changes in technology and risk. All employees formally acknowledge security policies. version="1.0" encoding="UTF-8"? Contractual Commitments Security, confidentiality, and data protection obligations are documented in Choco's Master Service Agreement (MSA), Terms of Service, and DPA. ### Data protection ## How we protect your data Choco does not sell customer data. We implement technical and organisational measures to protect customer personal and business data at every stage of its lifecycle. version="1.0" encoding="UTF-8"? Data Hosting & Location All customer data is hosted on Amazon Web Services (AWS). Data does not leave approved regions without explicit authorization and appropriate safeguards. version="1.0" encoding="UTF-8"? Data Minimization We only collect and process what is necessary to operate your platform. Purpose limitation and minimisation govern every decision about what data we handle. version="1.0" encoding="UTF-8"? Retention & Deletion Data is retained only as long as necessary for defined business purposes. Deletions are handled through a verified, documented process to prevent unintended data loss. ### Infrastructure & Hosting ## Enterprise-grade infrastructure on AWS. Choco's production systems run on Amazon Web Services within private, restricted environments designed for reliability, isolation, and security. ![ - ](/assets/_1xAUTO_crop_center-center_none/458475/Platform-1.jpg) version="1.0" encoding="UTF-8"? AWS All production infrastructure runs on AWS, satisfying GDPR data residency requirements. version="1.0" encoding="UTF-8"? Private VPC Environments All production infrastructure runs within private, VPC-restricted environments. Network access is controlled via security groups and is not exposed to the public internet. version="1.0" encoding="UTF-8"? Code Review & Deployment Controls All code and infrastructure changes go through a mandatory peer review process before deployment. Changes are deployed via automated pipelines, reducing the risk of manual error. version="1.0" encoding="UTF-8"? Automated Vulnerability Scanning Automated scanning tools check for known vulnerabilities in dependencies and infrastructure as part of every deployment, before changes reach production. ## Access is earned, not assumed. Choco uses Okta as its centralized identity provider, with MFA enforced and least-privilege access as the default across every system. version="1.0" encoding="UTF-8"? Okta identity provider All internal systems and application access is managed through Okta, providing centralized identity control and a single governance layer across the organisation. version="1.0" encoding="UTF-8"? MFA enforced - No Exceptions Multi-factor authentication is required for all employees and all administrative access. There are no bypass paths or exemptions. version="1.0" encoding="UTF-8"? Role Based Access Control Access is granted on a least-privilege basis tied strictly to job responsibilities. Critical systems undergo quarterly access reviews to ensure permissions remain appropriate. version="1.0" encoding="UTF-8"? Access Revoked on Departure When an employee leaves Choco, all access to internal systems and production environments is revoked immediately. Privileged access activity is logged for auditability. ## Application Security #### Peer Code Review Every code and infrastructure change is reviewed by at least one other engineer before deployment. #### Automated Vulnerability Scanning Dependencies and infrastructure are scanned automatically on every deployment to detect known vulnerabilities before they reach production. #### Separate Environments Test and production environments are fully isolated. Production customer data is never used in testing. #### Annual Penetration Testing Third-party penetration tests of the production environment are conducted at least annually. Findings are tracked and remediated with defined timelines. #### Continuous Monitoring Infrastructure and applications are monitored continuously for known vulnerabilities and suspicious activity. ## monitoring #### 24/7 Monitoring Infrastructure and applications are monitored around the clock with alerts routed to an on-call team with defined response procedures. #### Centralized Logging Application and infrastructure logs are centrally collected and monitored for operational visibility and security investigations. #### Formal Incident Response Plan A documented plan with defined roles, responsibilities, and step-by-step procedures for identifying and resolving security incidents. #### Customer Notification Commitment In the event of a confirmed incident affecting customer data, Choco will notify affected customers without undue delay, in line with contractual and regulatory obligations. #### Post-Incident Review Every significant incident is followed by a structured review. Root causes are documented and process improvements are actioned. ### Legal and documentation ## Everything in writing All security, data protection, and service obligations are documented in Choco's legal agreements. version="1.0" encoding="UTF-8"? Master Service Agreement Our MSA covers service terms, responsibilities, and commitments — including software and service descriptions. [ View MSA ](https://legal.choco.com/uspremium#saas) version="1.0" encoding="UTF-8"? Data Processing Agreement Our DPA sets out how Choco processes personal data on your behalf, including sub-processor obligations, technical and organizational security measures. [ View DPA ](https://legal.choco.com/uspremium#dpaatlantic) version="1.0" encoding="UTF-8"? Privacy Policy and more Access our full legal library including Terms of Service, Privacy Policy, and Software Descriptions. [ View Privacy Policy ](https://legal.choco.com/lc) ![ - ](/assets/_1xAUTO_crop_center-center_none/455921/Gulfoods_Website_2.jpg) READY TO SEE HOW CHOCO PROTECTS YOUR OPERATIONS? ![ - ](/assets/_1xAUTO_crop_center-center_none/455921/Gulfoods_Website_2.jpg) Whether you are a regional distributor or a national manufacturer, our team can walk you through every control and answer your compliance questions directly. [ Visit Trust Center ](https://trust.choco.com/) ## Found a vulnerability? Tell us. We take every security report seriously. If you have identified a potential issue in Choco's platform or infrastructure, reach out to our security team directly. We will acknowledge, investigate, and respond promptly. Contact: security@choco.com [ Learn More ](https://legal.choco.com/security#vulnerability-disclosure)