Short version : Security and privacy by design as an evidence


Cozy Pass is a french and open source password manager that is used for storing all your login credentials, payment cards and identities.

Cozy Pass is an application of the Cozy Service that helps users to get their data back from online services into their own Personal Cloud.

1. Cozy Pass applies by default end-to-end encryption to all user data (passwords, identities, payment cards). It means user data is never transmitted in clear text to the Cozy server, which therefore knows nothing about it.
2. When installing Cozy Pass, an encryption key is created, called the master key, which is never stored. This key is used to encrypt another key called the vault key. For each user password / identity / payment card, a dedicated encryption key is generated to encrypt the data. Then, the encryption key is itself encrypted by the vault key and securely sent to the Cozy server, which therefore knows nothing about it, nor the user data.
3. Cozy Pass encrypts all stored data. Moreover, it is important to note that none of this data is transmitted to any third-party providers whatsoever.
4. By default, any user data is end-to-end encrypted in such a way that even the Cozy server cannot decrypt it. The only exception is in the case where credentials are used by a connector (=aims at retrieving data from an online service), where a special encryption is set up. Indeed, it is necessary that the credentials (and only those) can be decrypted without any action from the user, in order to be able to automatically retrieve the data from your online services any time the user wants.
5. The connectors are executed in an isolated and secure environment, which is the only one with the rights to decrypt the connectors' credentials.
6. The master key is generated from the main user password. Neither the user password nor the master key are stored anywhere. Therefore, the user is the only one able to access and manage his/her passwords and all his/her other data.
7. Our code is open source and we are transparent about the fact we forked another project, Bitwarden.
8. All our servers are located in France, under the French law and EU regulation.

Long version - 1.0 version


COZY CLOUD may change our Privacy Statement from time to time. Here is the 1.0 version, an extended version with more details of the Cozy Service and COZY CLOUD.

Preambule

In this version 1.0 of Privacy Statement, COZY CLOUD is the company that operates the Cozy Service including the Cozy Pass, password manager. COZY CLOUD's mission is to ensure you can control your personal data and how this data is used by third parties. The Cozy Service allows you to exercise your right to personal data portability/recovery (Art.20 GDPR and Art.L.224-42-1 Consumer Code).

The Cozy Service includes access to the Cozy personal cloud platform as well as several apps available on the Cozy marketplace; some apps have been developed by COZY CLOUD and are included as standard: Cozy Drive, Cozy Photos, Cozy Settings, Cozy Banks, Cozy Contacts, Cozy Store, Cozy Notes and Cozy Pass.
As COZY CLOUD is a French company that provides its services thanks to servers located in France, French law applies!

Our core values

The Cozy Service has been developed on the basis clear values and an vision for digital technology. Use of the Cozy Service therefore promotes this unique vision:

(i) respect for privacy is at the heart of our approach and Service. Retaining control of your private life is therefore the only way you can guarantee a balance between your various digital services and the service we offer;
(ii) we are committed to transparency for our Software as well as your use of "private" personal data via the Cozy Service;
(iii) we value the open source nature of the Cozy Software/Stack, which is essential
· to trust ("You will stay because you can leave");
· to security (no black box, users can verify and publicly comment);
· and to service ecosystem development ("hackability");
(iv) we aim to provide the best possible service, both in terms of ease of use and security; our goal is to prevent intrusions into your Cozy Server and any unauthorized use (without your prior consent) of your "private" personal data.


Definition of the Cozy service

Cozy is a "personal cloud" that stores your "private" data
1. ANY data that you use on your Cozy Server is your personal data. For COZY CLOUD, this is your "private" data. To check all GDPR provisions applicable to your "private" data stored in your Cozy Server, click here: "Private" personal data protection policy for Cozy Service users".
2. You are the only person with access to your "private" data; this data is not shared with any other service provider unless you give explicit (clear) prior consent to this service provider. And even after you've given your consent, you can change your mind at any time and ask that your "private" data no longer be used by this service provider.
3. You can store, sync and share any "private" data that you like. From the Cozy marketplace, you can install apps that thanks to the Cozy Software (also called "Cozy Stack") allow you to visualize, use and cross-reference your "private" data at your discretion.


Your "private" personal data belongs to you. Really.

1. You alone own your Cozy Service "private" personal data and any automatic COZY CLOUD back-ups. This is really your "private" data, as you're acting in the context of purely personal or household activity (GDPR Art. 3).
2. Any use of your "private" data by a third party requires your explicit prior consent. You are free to delete, modify, copy and share your "private" data using the Cozy Service for as long as you like.

You decide who uses your "private" data, as well as when and how.

1. Permissions: The apps you install can only access your "private" data by asking permission to access that data. You can either grant or refuse permission.
2. Type of access: the Cozy platform distinguishes between:
(i) "local" access to your "private" data (access to "private" data via an app installed on your Cozy, including data managed by other apps also installed on your Cozy)
(ii) access allowing information to be transmitted "outside" your Cozy. According to licencing conditions that you must accept, an app publisher agrees to externally transmit only "private" data for which the publisher has obtained your permission to transmit "externally".
3. Access verification for transmission
Even if it only plays a minor role, local data access is of course ensured by the Cozy Stack. For example, it's not really a question of whether an app (available on the marketplace that you decided to install on your Cozy) accesses your "private" contact data, but rather whether you can control "external" transmissions of your "private" data. The Cozy Service is therefore designed to allow you to distinguish between these 2 types of access, and independently control "local" access and "external" "private" data transmissions. Third party apps are verified by members of the COZY CLOUD community; COZY CLOUD is committed to helping all Cozy users identify malicious apps.

Our aim: what should stay in your Cozy stays in your Cozy

What information the Cozy Service collects and why
We only collect the information you choose to give us, and we process it with your consent, or on another legal basis; we only require the minimum amount of personal information that is necessary to fulfill the purpose of your interaction with us; we don't sell it to third parties; and we only use it as this Privacy Statement describes.

Information from users with a Cozy account

If you create an account, we require some basic information at the time of account creation. You will create your own password, and we will ask you for a valid email address. You also have the option to give us more information if you want to, and this may include "User Personal Information."

"User Personal Information" is any information about one of our users which could, alone or together with other information, personally identify him or her. Information such as an email address and a real name are examples of "User Personal Information." User Personal Information includes Personal Data as defined in the General Data Protection Regulation.

User Personal Information does not include aggregated, non-personally identifying information. We may use aggregated, non-personally identifying information to operate, improve, and optimize our website and service.

Why we collect this

We need your User Personal Information to create your account, and to provide the services you request, including to provide the Cozy service, or to respond to support requests.

We use your User Personal Information, specifically your email address, to identify you on the Cozy server.

We will use your email address to communicate with you (support, dedicated notifications for providing a service).

We use your User Personal Information for internal purposes, such as to maintain logs for security reasons, for training purposes, and for legal documentation.

We limit our use of your User Personal Information to the purposes listed in this Privacy Statement. If we need to use your User Personal Information for other purposes, we will ask your permission first.

Cozy applications

Cozy Pass is one of the applications panel that you can use from the Cozy Service, such as our Cozy Drive Desktop or Mobile app, Cozy Banks, Cozy Notes, Cozy Store and Cozy Contacts. All Cozy applications are subject to this Privacy Statement, and we will always collect the minimum amount of User Personal Information necessary, and use it only for the purpose for which you have given it to us.

How you can access and control the information we collect

If you're already a Cozy user, you may access, update, alter, or delete your basic user profile information by editing your user profile in the settings of the Cozy service.

Data retention and deletion

Generally, the Cozy service will retain User Personal Information for as long as your account is active or as needed to provide you services.

We may retain certain User Personal Information indefinitely, unless you delete it or request its deletion. For example, we don't automatically delete inactive user accounts, so unless you choose to delete your account, we will retain your account information indefinitely.

If you would like to cancel your account or delete your User Personal Information, you may do so in your web vault settings. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, but barring legal requirements, we will delete your full profile (within reason) within 30 days.

Tracking and analytics

We do not track users. We do not use analytics in Cozy Pass.

Data disclosure

When installing Cozy Pass, the extension injects a script to all tabs in the browser in order to add an event listener. This listener can be used by a web application to learn from Cozy Pass if its installation succeeded.

This is used by the Cozy-Passwords web application to help the user during the onboarding. More details on this page: https://github.com/cozy/cozy-keys-browser/blob/master/docs/extension-status.md

How COZY CLOUD secures your information

COZY CLOUD takes all measures reasonably necessary to protect User Personal Information from unauthorized access, alteration, or destruction; maintain data accuracy; and help ensure the appropriate use of User Personal Information.

How does it work?

In your Cozy server, Cozy Pass, the password manager is used for storing all your login credentials, payment cards and identities.

When creating the Cozy password, an encryption key is derived from it by a sequence of mathematical operations. We name it the master key and is never stored. It is important to note that the password is never transmitted in clear text to the Cozy server, which therefore never knows this key.

Another key is randomly generated and encrypted by the master key, which is called the vault key. This key remains stored encrypted in the database and will be used to encrypt all future keys. Again, the Cozy server never has access to it in clear text.

And what happens for the user?

1. When the user logs in to his password manager, the master key is recomputed from the Cozy password and the vault key is decrypted.
2. If the user adds a new login credential (username and password), it is immediately encrypted with the vault key.
3. The new encrypted credential is sent to the server that will store it, without having any way of knowing its content.
4. Each data managed by the password manager (login, credit card, identity) is thus retrieved from the Cozy server and decrypted in the application thanks to the vault key.

COZY CLOUD is adopting measures to guarantee that the data stored in your Cozy remains secure.

(i) A decentralized structure differs from the current economic model introduced by Facebook and Co.

The current centralization of data in silos owned by the major industry players is a catastrophe in terms of security, especially when these silos are advertising powerhouses whose economic model is based on selling their users' attention. This model is also highly conducive to digital piracy. Although our data is incredibly valuable to each of us, individually it has little value for an attacker who is interested in securing mass data in the event of a successful security breach. Decentralization breaks the current model, thereby increasing the cost of cyber attacks and reducing their likelihood.

(ii) Source code needs to be audited by experts

The Cozy service uses open source code, which can be audited at any time by trusted experts in order to ensure that it's free from any unintentional or hidden flaws. There is no possible black box effect.

(iii) The user is king.

By focusing on the user, users gain the ability to choose who hosts his or her data (even self-hosting if technically capable) and can leave at any time. "You will stay because you can leave" has been Cozy's promise from the outset.

(iv) Transparency and access to data used by apps

Each Cozy app shows what data is used; this is not limited to permissions, contrary to smartphones which only control access to data.

(v) Applying "state of the art" technical standards

- Encryption for storage (more information)
- Server role isolation
- Applications separated from each other
- Two-factor authentication (more information)
- Hosting in France (more information)

How we communicate with you

We will use your email address to communicate with you. For example, if you contact our support team with a request, we will respond to you via email.

Changes to our Privacy Statement

COZY CLOUD may change our Privacy Statement from time to time. Here is the 1.0 version.

Contacting Cozy Cloud

If you have questions regarding COZY CLOUD Privacy Statement or information practices, please feel free to contact us.
The Cozy Service is provided by COZY CLOUD SAS, whose registered office is located at 158 rue de Verdun 92800 Puteaux, and whose professional identification number is 789 037 678 RCS Nanterre.