This page is the central reference for Cogneris customers and prospects evaluating our data protection posture. It links to our binding contractual commitments (the Data Processing Addendum) and discloses the sub-processors we engage to deliver the Service. Read this page alongside our Privacy Policy Security, and Trust Center documentation for the full picture.
1. Data Processing Addendum (DPA)
When Cogneris processes personal data on a customer's behalf in connection with the Service, it does so as a processor (as defined in GDPR Art. 4) on the customer's documented instructions. Our DPA is incorporated by reference into our Terms of Service and applies automatically to every customer that processes personal data through the Service. A counter-signed copy is available on request to legal@cogneris.ai.
1.1 What the DPA covers (summary)
The summary below is provided for convenience. The full DPA controls in case of conflict.
1.2 International transfers and Transfer Impact Assessment
Cogneris relies on the European Commission's Standard Contractual Clauses adopted by Implementing Decision (EU) 2021/914 of 4 June 2021 for transfers of personal data from the EEA to third countries that are not covered by an adequacy decision, applying:
- Module Two (controller-to-processor) when the customer is a controller and engages Cogneris as processor;
- Module Three (processor-to-processor) when the customer is a processor and Cogneris acts as a sub-processor.
For UK personal data, Cogneris applies the UK International Data Transfer Addendum (Version A1.0, 21 March 2022) to the EU SCCs. For Swiss personal data, the SCCs are read with the adaptations published by the Swiss FDPIC.
Cogneris performs and documents a Transfer Impact Assessment for every destination country that is not covered by an adequacy decision, applying the EDPB Recommendations 01/2020 methodology. The current TIA covers transfers to the United States and concludes that the combination of the SCCs, our supplementary measures (see below), and the practical likelihood of access for the data categories in scope brings the level of protection up to a standard essentially equivalent to EU law. The TIA is reviewed at least annually and on triggering events (e.g., new sub-processor, material change in the destination country's legal regime, or a government access request). A summary of the TIA is available under NDA on request to legal@cogneris.ai.
Supplementary measures applied to all in-scope transfers:
- Technical: TLS 1.3 in transit; AES-256-GCM at rest with EU-held per-tenant keys in GCP KMS; pseudonymization of identifiers at the API edge where feasible; minimal-scope payloads (only chunks needed for the specific task are transmitted to LLM providers); customer-managed keys (CMEK) on Enterprise; production network egress restricted to inventoried sub-processor endpoints.
- Organizational: written government-access policy requiring legal review of any disclosure request; sub-processor due diligence and annual recertification; mandatory privacy and security training; incident response playbook with defined customer notification.
- Contractual: EU SCCs with all sub-processors; onward-transfer restrictions; sub-processor obligation to notify Cogneris of any government access request affecting Customer Data (where legally permitted) and to use lawful means to challenge disproportionate requests; audit and termination rights.
1.3 Breach notification to customers
Where Cogneris becomes aware of a confirmed personal data breach affecting Customer Data (Art. 4(12) GDPR), Cogneris will notify affected customers without undue delay and within 48 hours of confirmation, providing — to the extent then known — the nature of the breach, categories and approximate number of data subjects and records affected, the likely consequences, the measures taken or proposed, and the contact point for follow-up. Subsequent updates are issued as more information becomes available. This commitment is designed to enable the customer (as controller) to comply with its own 72-hour notification obligation under Art. 33 GDPR. Notifications are sent to the customer's account-designated security contact and, on request, to a customer-supplied PGP-protected email address.
1.4 California Consumer Privacy Act — service provider terms
Where Cogneris processes personal information of California residents on behalf of a customer that is a "business" under the CCPA/CPRA, Cogneris acts as a "service provider" as defined in Cal. Civ. Code §1798.140(ag). The DPA includes the service-provider terms required by §1798.140(ag)(1), namely:
- Cogneris is prohibited from selling or sharing personal information (as those terms are defined in the CCPA/CPRA);
- Cogneris is prohibited from retaining, using, or disclosing the personal information for any purpose other than the specific business purpose set out in the agreement (the provision of the Service), including a prohibition on retaining, using, or disclosing the personal information outside of the direct business relationship between Cogneris and the customer;
- Cogneris is prohibited from combining personal information received from one business with personal information received from any other source, except as permitted under §1798.140(ag)(1)(D);
- Cogneris agrees to comply with applicable obligations under the CCPA/CPRA and to provide the same level of privacy protection as required of businesses by the CCPA/CPRA;
- the customer has the right to take reasonable and appropriate steps to ensure that Cogneris uses the personal information transferred in a manner consistent with the customer's obligations under the CCPA/CPRA;
- Cogneris will notify the customer if it determines it can no longer meet its obligations under the CCPA/CPRA;
- the customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information;
- on termination, Cogneris will delete or return all personal information processed on the customer's behalf in accordance with the DPA and the applicable Order Form, and require the same of its sub-processors.
Cogneris does not engage in cross-context behavioral advertising and does not "share" personal information for that purpose. The same restrictions are mirrored in our contracts with sub-processors that process Customer Data.
2. Sub-processors
Cogneris engages third-party sub-processors to deliver, secure, and support the Service. Each sub-processor is bound by a written agreement that imposes data protection obligations no less protective than those in our DPA, and each is assessed before onboarding for security, privacy, and reliability.
This public disclosure is generated from the internal compliance registry. Registry last updated: 14 May 2026.
2.1 Notification of changes
Cogneris will provide at least 30 days' prior notice before adding or replacing a sub-processor that processes Customer Data. Notice is delivered by email to the account's primary admin and by update to this page. Customers may object on reasonable data protection grounds during the notice period; if the parties cannot resolve the objection, the customer may terminate the affected portion of the Service for convenience and receive a pro-rata refund of unused, prepaid fees. Subscribe to sub-processor change notifications by emailing legal@cogneris.ai.
2.2 Infrastructure and platform sub-processors
| Sub-processor | Purpose | Processing location | Transfer mechanism |
|---|---|---|---|
| Google Cloud Platform (Google LLC / Google Ireland Ltd.) | Cloud hosting, Cloud Run, Cloud SQL, GCS object storage, KMS, Secret Manager | EU primary, US fallback or administrative processing where configured | EU SCCs / Google Cloud DPA |
| Cloudflare (Cloudflare, Inc.) | CDN, Edge security, Traffic routing | Global | EU SCCs and Cloudflare DPA |
2.3 AI model sub-processors
Cogneris orchestrates specialist agents that may invoke third-party large language models. Customer Data sent to these providers is governed by no-training contractual terms. Customers can configure model selection per tenant, including no-LLM workflows, and Enterprise customers can request model allow-lists.
| Sub-processor | Purpose | Processing location | Transfer mechanism |
|---|---|---|---|
| Google Cloud Vertex AI (Google LLC / Google Ireland Ltd.) | AI inference, Document extraction, Classification | EU or US depending on tenant/provider configuration | EU SCCs / Google Cloud DPA |
| OpenAI (OpenAI, L.L.C.) | AI inference, Document extraction, Document Q&A | US | EU SCCs and OpenAI DPA |
| Anthropic (Anthropic, PBC) | AI inference, Document Q&A, Agentic workflows | US | EU SCCs and Anthropic DPA |
2.4 Operational sub-processors
| Sub-processor | Purpose | Processing location | Transfer mechanism |
|---|---|---|---|
| Stripe (Stripe, Inc.) | Payment processing, Billing, Invoices | US | EU SCCs and Stripe DPA |
| Twilio SendGrid (Twilio SendGrid, Inc. / Twilio Inc.) | Transactional email, Email notifications | US | EU SCCs and Twilio DPA |
| Twilio (Twilio Inc.) | SMS, WhatsApp, MFA and notifications | US | EU SCCs and Twilio DPA |
| Intercom (Intercom, Inc.) | Support messaging, Customer communication | US | EU SCCs and Intercom DPA |
| Sentry (Functional Software, Inc.) | Error monitoring, Exception diagnostics | US | EU SCCs and Sentry DPA |
Affiliates of the entities above that perform sub-processing on the same terms are deemed authorized sub-processors and do not require separate notice. Where a sub-processor entry shows multiple processing locations, the actual location depends on the customer's selected region and the routing of the specific request.
3. Customer-controlled data residency
Document storage and primary processing run in the EU region by default. Customers can request a US-region deployment at the time of onboarding. Enterprise customers can request additional residency options (e.g. UK, Canada, Brazil) subject to a scoping conversation. Selecting a residency option restricts the storage and primary processing location, but routine sub-processor calls (for example, Stripe billing, email delivery, error monitoring) may still occur in the sub-processor's standard region.
4. Security measures (Annex II to the DPA)
Cogneris maintains a written information security program. The technical and organizational measures we apply are described in detail on our Security page and form Annex II to our DPA. They include, at a minimum:
- encryption in transit (TLS 1.3) and at rest (AES-256-GCM) with per-tenant keys managed in Google Cloud KMS;
- strict tenant isolation at the database layer; optional dedicated infrastructure for Enterprise;
- role-based access control with mandatory MFA for all employee accounts and dual-approval, time-bound production access;
- immutable audit logging of every extraction, review, and export, including model and prompt metadata;
- vulnerability management, dependency scanning, and quarterly penetration testing;
- documented incident response plan with defined breach notification commitments;
- employee security training, background checks where permitted, and confidentiality undertakings.
5. Data subject requests
Where Cogneris processes personal data as a processor, it will assist the customer (the controller) in responding to data subject requests within applicable statutory deadlines. Data subjects who interact directly with Cogneris's website and marketing are covered by the rights described in our Privacy Policy. Data subjects whose data was uploaded to the Service by a Cogneris customer should submit requests to that customer in the first instance.
6. How to request the DPA
A pre-executed DPA, including the SCCs, is available on request. Email legal@cogneris.ai with your legal entity name, the entity name of the Cogneris contracting party (if known), and any specific schedules you require (e.g. UK Addendum, Swiss adaptations, customer-specific Annex II).
7. AI transparency (EU AI Act Article 50)
The Cogneris Service uses AI to classify documents, extract structured fields, answer questions about document content, and generate advisory fraud-risk signals. This section sets out how Cogneris meets the transparency obligations of Article 50 of Regulation (EU) 2024/1689 (the "EU AI Act") for the relevant parts of the Service.
7.1 Direct interaction with an AI system (Art. 50(1))
Where a natural person interacts directly with the Service in a way that involves an AI system (for example, the Document Q&A feature), the Cogneris user interface and API responses make clear that the response is produced by an AI system. AI-mediated responses are labelled as such and accompanied by source citations to the underlying document. This obligation is on Cogneris as provider of the AI system.
7.2 AI-generated or AI-modified content (Art. 50(2))
Outputs generated by the Service that constitute synthetic text — including summaries, AI-drafted explanations, and answers in Document Q&A — are marked as AI-generated in the response payload, both in the user interface and in the API response (for example, via a dedicated `generated_by_ai: true` field and a machine-readable provenance label). Field-extraction results (where the AI identifies a value already present in the document) are not "synthetic" content but are still flagged with confidence scores and the model version that produced them.
7.3 Emotion recognition and biometric categorization (Art. 50(3))
Cogneris does not operate an emotion-recognition system and does not provide biometric categorization. Where a customer's documents include facial images (for example, ID-document workflows), the Service performs document field extraction; it does not infer emotion or biometric categories. If a customer plans to use any such functionality, additional contractual terms and a separate impact assessment are required before onboarding.
7.4 Deep fakes and AI-generated images, audio, or video (Art. 50(4))
The Service does not generate deep-fake images, audio, or video. The Service is a structured-data extraction and Q&A platform; it does not produce synthetic media.
7.5 Customer (deployer) obligations
When a Cogneris customer deploys the Service in a context governed by the EU AI Act — particularly where the customer's overall workflow may itself qualify as a high-risk AI system under Annex III (e.g., creditworthiness assessment, life and health insurance pricing, certain employment uses) — the customer (as deployer) is responsible for the deployer-side obligations, including notifying affected natural persons under Art. 50, conducting a Fundamental Rights Impact Assessment under Art. 27 where required, and ensuring meaningful human oversight before any consequential decision. Cogneris provides the documentation, logging, and configuration needed to support those obligations and references them in our Terms of Service §7 (acceptable use) and the DPA.
7.6 Model documentation and inventory
Cogneris publishes, and updates on material change, an inventory of the AI models used in the Service, including model family, version, provider, deployment region, and intended use. The current inventory is available under NDA on request to legal@cogneris.ai. Where a customer's procurement requires a Provider Card or System Card meeting the EU AI Act Art. 53 (general-purpose AI) or Art. 13 (high-risk AI) documentation format, Cogneris will provide one for the relevant components.
8. Changes to this page
We may update this page to reflect new sub-processors, regional availability, or changes to our processing operations. The "Last updated" date and the sub-processor list version at the top of this page indicate the current revision. Material changes to sub-processors are notified separately as described in Section 2.1.