Rocoto manages application security for fast-moving software teams. It starts with autonomous pentesting, then expands into always-on security agents that find, validate, prioritize, and help fix risk across code, runtime, cloud, and integrations.

What does Rocoto test?

Rocoto tests source code, exposed runtime surfaces, target authentication, API behavior, tool use, prompt injection paths, data exposure, and multi-step business logic abuse.

Can Rocoto test private repositories?

Yes. Rocoto supports GitHub App based repository import so teams can grant scoped access to selected repositories without sharing broad personal access tokens.

How is Rocoto different from traditional application security testing?

Traditional tools are good at known patterns and point-in-time checks. Rocoto uses the pentest as the wedge into a broader operating model where security agents keep validating behavior, evidence, and remediation over time.

Privacy Policy

Name: Rocoto - Frictionless Application Security for AI Software Teams
Author: Rocoto

How we collect, use, and protect your data

This Privacy Policy explains how Artoo Corporation ("artoo," "we," "us") processes personal information in connection with Rocoto, our application security platform for AI software teams, and our websites.

Our Products

Rocoto is an autonomous penetration testing platform for AI agent systems. Rocoto performs white-box security assessments that involve source code analysis, threat modeling, and adaptive attack execution across multiple channels (HTTP, email, SMS, voice, WebSocket). Rocoto processes customer source code, generates attack payloads, and produces security findings and reports.

Information We Collect

Information You Provide

Account details (name, email, company), authentication and profile data, billing/payment info (for paid tiers), and support communications.

Rocoto Engagement Data

When you engage Rocoto for a security assessment, we process:

Source code and repositories that you provide for analysis (via Git URL or direct upload). Source code is used solely for the contracted security assessment and is not retained beyond the engagement period unless otherwise agreed.
Recon artifacts derived from your source code: AST extractions, call graphs, taint analysis paths, framework detection, system prompt identification, tool schemas, guardrail configurations, and data flow maps.
Threat models and attack plans generated by analyzing your agent's architecture, business logic, and trust boundaries.
Attack execution data: payloads crafted and sent to your AI systems, request/response transcripts, conversation logs, tracking identifiers, and timing data — across all contracted channels (HTTP, email, SMS, voice, WebSocket).
Security findings and verdicts: vulnerability assessments, evidence, judge evaluations, crown jewels impact analysis, and generated reports.
Target configuration you provide: endpoints, authentication credentials, email addresses, phone numbers, webhook URLs, and channel-specific settings.

Automatically Collected

Device/usage data (IP address, user agent, referring URL), cookie/SDK events, and service performance telemetry. See Cookies & Similar Technologies.

From Third Parties

Payment processors (payment status, limited billing metadata), email service providers (deliverability events), and hosting/infrastructure providers (security/availability logs).

How We Use Information (Purposes & Legal Bases)

Provide and operate Rocoto; create and manage accounts. (GDPR Art. 6(1)(b))
Perform contracted security assessments, including source code analysis, threat modeling, and attack execution against your AI systems. (6(1)(b))
Generate security findings, verdicts, and reports for your review. (6(1)(b))
Secure, monitor, and troubleshoot the services; prevent fraud/abuse; enforce policies and scope constraints. (6(1)(f))
Billing and account administration; collect payments; send transactional emails. (6(1)(b))
Communicate about product updates; market with consent where required. (6(1)(a),(f))
Anonymize/aggregate telemetry to improve Rocoto and our documentation. (6(1)(f))

We do not use customer source code or security assessment data to build profiles for unrelated third-party advertising. Customer source code is not used to train machine learning models.

We may use de-identified patterns derived from security assessments — such as architectural patterns, vulnerability categories, code structure patterns, dataflow topologies, and attack technique effectiveness — to improve our detection capabilities and develop predictive models. While these patterns may reflect structural characteristics of your codebase (such as framework usage and dataflow topology), we strip customer-identifying information — including proprietary names, literal strings, and business logic — before any such use. You may opt out by notifying us at privacy@artoo.love.

Multi-Channel Communications (Rocoto)

During a contracted security assessment, Rocoto may send communications to your AI systems through multiple channels as defined in the engagement scope:

SMS messages — sent via Telnyx to phone numbers you designate as part of the engagement scope. No SMS messages are sent without a signed engagement agreement. See our SMS Consent page.
Email messages — sent via Resend to email addresses you designate. Resend also processes inbound email via webhooks, allowing Rocoto to correlate replies from target AI systems with the original attack payloads using tracking identifiers.
Voice calls — initiated via VAPI to phone numbers you designate.
HTTP requests — sent to API endpoints you designate.
WebSocket messages — sent to WebSocket endpoints you designate.

All communications are scoped to targets explicitly authorized in the engagement agreement. Rocoto enforces scope constraints including target pinning, method allowlists, rate limits, and budget controls. Communications are logged as part of the engagement record.

LLM Processing

Rocoto uses third-party large language model (LLM) providers to deliver the service:

Rocoto uses LLMs extensively for source code analysis (recon), threat modeling, attack payload generation, bypass strategy development, and vulnerability verdict assessment. Excerpts from your source code and engagement data are sent to LLM providers as part of this processing.

We use LLM providers that offer data processing agreements and do not use customer inputs for model training. Current LLM providers are listed on our Subprocessors page.

Roles of the Parties (Controller vs. Processor)

For Rocoto as used by your organization, artoo generally acts as a processor of Customer Data under your instructions (including your engagement agreement for Rocoto).
For our marketing website, accounts, and billing, artoo acts as a controller.

Data Retention

We retain personal data for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention practices:

Account data: retained for the duration of the account relationship plus any legally required period.
Rocoto source code: cloned source repositories are stored in ephemeral environments during assessment and cleaned up upon engagement completion. Source code is not retained beyond the engagement period unless a separate written agreement provides otherwise.
Rocoto engagement data (findings, reports, attack logs): retained for the period specified in your engagement agreement, or for a default period necessary to provide report access and support.
LLM interaction logs: retained for quality assurance and debugging during the engagement period. Optional observability data (via Langfuse) follows the same retention as engagement data.

International Transfers

If personal data is transferred outside your region, we rely on appropriate safeguards (e.g., Standard Contractual Clauses) and additional measures. You may request a copy at privacy@artoo.love.

Data Location

Customer Materials and personal data may be processed in locations where we or our subprocessors operate. We take appropriate measures for cross-border transfers as required by law.

Your Rights

EEA/UK/Swiss residents: access, correct, delete, restrict, object, portability; lodge a complaint with your supervisory authority.

U.S. state privacy laws (e.g., CA/CO/CT/VA/UT):access, delete, correct, portability, and the right to opt-out of certain processing like "sale," "sharing," or targeted advertising (as defined by law).

At this time, artoo does not sell personal information and does not share it for cross-context behavioral advertising. If this changes, we will update this Policy and provide an opt-out mechanism.

Submit a request: visit /legal/dsr or email privacy@artoo.love.

Data Subject Requests (Scope & Limits)

We may request information to verify identity before responding and may deny or charge a reasonable fee for requests that are excessive, repetitive, or manifestly unfounded, as permitted by law.

Subprocessors & Hosting

We use carefully vetted subprocessors to help us provide Rocoto. Current list: /legal/subprocessors.

Security

We implement organizational and technical measures appropriate to the risk, including:

Encryption in transit and at rest.
Least-privilege access controls and bearer token / JWT authentication.
Scope enforcement for Rocoto engagements: target pinning, method allowlists, rate limiting, budget controls, and approval gates before attack execution.
Audit logging of all security-relevant actions (authorization events, payload delivery, scope violations).
Ephemeral storage of customer source code with automated cleanup.
Change management, vulnerability management, and incident response procedures.

If we become aware of a security incident affecting your data, we will notify you as legally required and where appropriate under the circumstances.

Cookies & Similar Technologies

We use:

Strictly necessary cookies for core functionality and security.
Analytics cookies to understand product usage in aggregate.
Functional cookies to remember preferences.

Manage preferences via the Cookie Settingslink. "Do Not Track" signals may not be honored by all components due to ecosystem limitations.

Changes

We will post updates here and adjust the "Last Updated" date. For material changes, we will provide additional notice (e.g., email or in-product message).

Contact

Artoo Corporation — Attn: Privacy
privacy@artoo.love