Four commitments. Built into the platform from day one.
Security at Cogneris isn't a checklist bolted on at the end. These four principles are wired into every code path, every deploy, every customer integration.
Encryption everywhere
TLS 1.3 in transit. AES-256-GCM at rest. Per-tenant data encryption keys managed in Google Cloud KMS, rotated automatically, never co-located with the data they protect. Customer-managed keys (CMEK) available on Enterprise.
Strict tenant isolation
Every API request is scoped to a single tenant at the database layer. No shared compute, no cross-tenant queries, no global indexes. Enterprise customers can opt into dedicated infrastructure isolation and a single-tenant VPC deployment.
Least-privilege access
Role-based access control. MFA required for every employee account. Production access follows a dual-approval workflow with time-bound permissions and audit logging. Engineer access to customer document content requires a documented business reason and reviewer approval.
Complete audit trail
Every extraction, every review, every export — logged with timestamp, requestor identity, model version, prompt and response. Audit metadata is immutable and exportable, ready for SOX, GDPR, CCPA or external auditor review.
Where your documents live, and how long.
We're explicit about every stage. No surprise retention, no opaque storage. Defaults are conservative; everything is configurable per contract.
Ingestion
TLS 1.3 from your endpoint to our API. Document bytes are never persisted in access logs. Request metadata is logged without document content.
Processing
Extraction runs in-memory only during inference. No document data crosses tenant boundaries. Sub-processor LLM calls are configurable per tenant — including no-LLM workflows.
Storage
Documents and extraction results are encrypted at rest with per-tenant keys. Retention is configurable per workflow: default 90 days, can be set to zero (no retention beyond the request).
Deletion
Hard deletion at retention expiry. A 30-day soft-delete window protects against accidental loss; on request, we hard-delete immediately. Audit metadata is retained per your contract.
Audit export
Audit metadata (request, response, model version, reviewer, timestamps) is queryable via API and exportable as JSON-Lines or CSV. Default audit retention: 7 years.
Subject requests
As a processor, Cogneris routes data subject requests (access, deletion, portability under GDPR or CCPA) to the controller — you. We provide tooling and a 30-day SLA for fulfillment.
Working with regulated industries.
We're transparent about where we are on each framework. Where an audit is in progress, we say so. Where it isn't, we say that too. Trust packets — including DPA, security questionnaire responses, and current audit reports — are available on request.
GDPR — for our EU customers
Cogneris acts as a data processor under GDPR Art. 28. Our standard Data Processing Addendum incorporates the EU Standard Contractual Clauses for transfers outside the EEA, and binds every sub-processor to equivalent terms. Sign the DPA at legal@cogneris.ai.
CCPA / CPRA — for our California customers
Cogneris is a service provider under CCPA §1798.140(ag). We do not sell or share personal information. Data subject requests (right to know, delete, correct, opt out of sharing) are routed to the controller; our SLA is 30 days from receipt.
SOC 2 Type II — for our enterprise customers
Our Type II audit is currently underway. Target report date, audit progress, and our current Type I report are available under NDA — email security@cogneris.ai.
HIPAA — for healthcare workflows
Business Associate Agreements are available on Enterprise contracts. PHI handling is configurable per workflow — including no-retention modes and PHI-aware redaction in audit metadata.
The infrastructure behind Cogneris.
We list every sub-processor that handles customer data, what they do, and where they operate. Customers receive at least 30 days' notice before any addition or change, with the right to object under the DPA.
| Sub-processor | Purpose | Region | Data accessed |
|---|---|---|---|
| Google Cloud Platform | Compute, storage, networking, KMS | USA | Documents, extractions, audit metadata |
| OpenAI | LLM inference (configurable per tenant) | USA | Document content during inference; zero-retention API |
| Anthropic | LLM inference (configurable per tenant) | USA | Document content during inference; zero-retention API |
| New Relic | Observability (logs, metrics, traces, APM) | USA | Operational telemetry only — document bodies are scrubbed before egress |
| Twilio | Transactional SMS, WhatsApp and email notifications | USA | Recipient phone / email + transactional message content; never customer documents |
| Fingerprint | Device fingerprinting for fraud detection & KYC | USA | Browser / device fingerprint metadata; never document content |
| Cloudflare | Edge, WAF, DDoS mitigation | Global edge | Request metadata only; document bodies bypass edge cache |
Subscribe to sub-processor change notifications to receive updates 30 days before any change.
If something goes wrong, customers hear from us first.
We maintain a documented incident response plan with defined roles, escalation paths, and customer communication commitments. The headline numbers we hold ourselves to:
≤ 1 hour
From a confirmed alert to incident commander assigned, severity classified, and customer-impact assessment started.
≤ 48 hours
For a confirmed personal-data breach affecting Customer Data: notification to affected customers within 48 hours of confirmation, designed so you can meet your own GDPR Art. 33 72-hour deadline.
≤ 10 business days
Written post-incident review delivered to affected customers, including root cause, mitigations, and corrective actions.
Notifications include — to the extent then known — the nature of the incident, the categories and approximate number of data subjects and records affected, the likely consequences, the measures taken or proposed, and a contact point for follow-up. Subsequent updates are issued as more information becomes available. Notifications are sent to your account-designated security contact and, on request, to a customer-supplied PGP-protected email address. Full breach-notification terms are in our DPA.
Found something? Tell us.
We respect security researchers and respond to good-faith reports within 1 business day. We commit to working transparently with reporters and crediting their work.
How to report
- Email security@cogneris.ai with a clear description of the issue, reproduction steps, and impact.
- If the issue is sensitive, request our PGP key in your initial email; we'll respond with one within four business hours.
- Please give us 90 days before public disclosure. We commit to fixing critical issues within 30 days, high-severity within 60, and to credit you in the changelog (if you'd like).
In scope
- cogneris.ai and all
*.cogneris.aisubdomains - The Document AI REST API and webhook system
- Authentication, session and tenant-isolation logic
- Customer dashboards and review queues
Out of scope
- Self-XSS / clickjacking on pages without sensitive actions
- Issues in third-party services we sub-process to (report directly to the vendor)
- Rate-limiting and brute-force on public endpoints (we have those covered)
- Best-practice header reports without a demonstrated exploit
Need DPAs, audit reports or a security questionnaire?
Most enterprise security questionnaires take us under 1 business day. Sub-processor notification subscriptions, DPAs, current SOC 2 status and our pen-test summary are all available on request — no NDA gate for the high-level docs.