Security at Cognia

All traffic between your browser, our APIs, and our backing databases is encrypted in transit with TLS 1.2 or higher; older protocols are explicitly disabled.

At rest, we apply AES-256-GCM column-level encryption to OAuth access and refresh tokens, TOTP 2FA secrets, and OIDC client secrets. Backing volumes are additionally encrypted by the underlying cloud provider.

Master encryption keys are currently injected via environment variables on isolated runtime hosts. We are migrating to a managed KMS (AWS KMS) with envelope encryption and per-tenant data keys; the rotation tooling already lives behind the same interface.

• Role-based access control with three tiers — ADMIN, EDITOR, VIEWER — enforced at the API layer.
• JWT access tokens are short-lived; refresh tokens rotate on every use with reuse-detection that revokes the entire token family on suspicious replay.
• Configurable session timeout per organization, with an org-admin-controlled IP allowlist that rejects connections at the gateway.
• Mandatory 2FA can be enforced for all org members; admins cannot disable their own 2FA without re-verification.

• TOTP-based 2FA (RFC 6238) with backup recovery codes.
• SAML 2.0 SSO (SP-initiated and IdP-initiated) with signed assertions.
• OIDC SSO with verified providers including Okta, Azure AD, and Google Workspace.
• SCIM 2.0 user provisioning and deprovisioning, including group mappings to Cognia roles.
• OAuth login via Google and Microsoft for personal accounts.
• Password breach checking against the HIBP k-anonymity API on sign-up and password change.

Every security-relevant action — logins, role changes, token issuance, memory exports, settings updates — is appended to an immutable audit log with the actor, timestamp, IP address, and user-agent.

Org admins can export audit logs as CSV from the admin console. Retention is configurable per organization at 90 days, 365 days, or unlimited (Enterprise).

• HTTP responses include a strict set of security headers via Helmet — HSTS with preload, a CSP that blocks inline scripts outside an explicit nonce list, X-Frame-Options DENY, and Referrer-Policy strict-origin-when-cross-origin.
• CORS is allowlist-based; no wildcard origins are accepted on authenticated endpoints.
• Per-IP and per-user rate limits protect login, password reset, and write endpoints. Failed-auth events feed an automatic temporary lockout.

Production data is stored in AWS ap-south-1. EU and APAC residency options are on the roadmap.

• GDPR-ready: data subject rights (access, rectification, erasure, portability) are exposed in-product and by request.

We acknowledge reported incidents within 24 hours. For confirmed incidents, we publish a public root-cause analysis within 72 hours of resolution and notify affected customers within 24 hours of confirming any exposure of personally identifiable information.

Responsible disclosures are rewarded. See our bug bounty program for scope, rewards, and reporting instructions.