CogniLead
Sign in
Template for review — not legal advice

This document is a template published by CogniLead GmbH (in formation). CogniLead does not provide legal advice. Have your Data Protection Officer and legal counsel review before relying on this version in production. Last updated: 2026-06-03.

Legal

Security posture

CogniLead treats security as part of the product, not a checkbox. Every commitment on this page is auditable, scoped to a verifiable control, and tied to the same evidence chain (Chainlog) that the product itself sells. The page is the canonical Annex 2 (TOMs) for the DPA.

1. Security overview

CogniLead is built for compliance-sensitive teams. Tenant isolation is enforced at the database layer rather than the application layer. Every action taken on the platform — through the dashboard or the API — is recorded to a tamper-proof audit chain that the customer can read at any time. The security posture described below is the floor, not the ceiling, and is reviewed at least once per quarter.

2. Authentication

  • Identity provider: Supabase Auth.
  • Multi-factor authentication is enforced on first dashboard use and may not be disabled.
  • SAML single sign-on is available on the Enterprise tier, with customer-controlled IdP.
  • Sessions expire after a maximum of 30 days and are invalidated on password change or MFA reset.

3. Tenant isolation

  • Postgres Row Level Security policies on every table keyed by tenant_id.
  • The application-tier never issues a query without a tenant identifier in the session context; the database is the final authority for visibility.
  • Cross-tenant isolation is verified by an independent third-party penetration test before public GA, and re-tested annually.

4. Secrets management

  • Supabase Vault is the single source of truth for DKIM private keys, OAuth refresh tokens, and customer-supplied API credentials (LLM provider keys, ESP keys).
  • No tenant-specific secrets live in environment variables, source code, or container images.
  • Operational secrets that gate platform-level systems (deploy credentials, infra tokens) are stored in a separate secret store with audit logging and rotation.

5. API keys

  • Two key classes per tenant: pk_live_* (public, scope-limited) and sk_live_* (secret).
  • Keys are hashed at rest with Argon2id; the raw value is shown only once at creation, never again.
  • After creation only the last four characters are surfaced in the dashboard for identification.
  • A 90-day rotation prompt fires automatically; older keys are marked stale in the dashboard.
  • Revocation is immediate and propagates to all edge caches.

6. Network

  • TLS 1.3 only; older protocols are refused at the edge.
  • HSTS with a 2-year max-age and preload list inclusion. Certificate pinning is offered to Enterprise.
  • Strict Content Security Policy. Inline script execution is blocked except for narrowly scoped, hash-pinned bootstraps.
  • frame-ancestors 'none' on every response; the dashboard cannot be framed by third parties.
  • Permissions-Policy locked down: camera, microphone, geolocation, payment, USB, and similar features are denied platform-wide.

7. Audit logging

  • Every dashboard action and every API call is written to Chainlog with tenant_id, actor, action, resource, ip.
  • Customers can read their own chain via the dashboard and the /api/v1/health endpoint, including the integrity proof for the latest range.
  • Chain entries are immutable: removal or rewriting of an entry invalidates the hash chain and is visible to the customer in the next integrity check.

8. Data residency

  • Customers choose CH or EU residency at signup. The choice is enforced at the database layer through regional read replicas.
  • Data does not cross the CH/EU boundary except where the customer explicitly configures a non-EU LLM provider with their own API key. CogniLead will not initiate such a transfer unilaterally.
  • Re-region of an existing tenant is a controlled operation that requires a service ticket; in-flight sends are paused during the migration window.

9. Encryption

  • TLS 1.3 for all data in transit.
  • AES-256 for all data at rest (Supabase default).
  • Customer-managed KMS is available on the Enterprise tier, with the customer's root key held in their own KMS instance.
  • Backup snapshots are encrypted with a separate key from the primary store.

10. Compliance roadmap

  • SOC 2 Type I: by M9.
  • SOC 2 Type II: by M18.
  • ISO 27001: Year 2.
  • HIPAA: CogniLead is not a covered entity. A BAA-aligned posture is offered via the PHI Gateway routing adapter for customers in regulated sectors that need it.
  • GDPR / revFADP: documented per-page (Privacy, DPA, LIA template) and enforced in product behavior.

11. Backups

  • Encrypted snapshots taken daily.
  • 30-day retention.
  • Stored in a geographically separate region within the same jurisdiction as the primary store.
  • Restore drills are run at least quarterly.

12. Incident response

  • 4-hour pager rotation, 24/7.
  • Public status page at status.cognilead.ai with component-level granularity.
  • Customer notification of a confirmed Personal Data breach within 48 hours of discovery, via email to the address on the account and a banner in the dashboard.
  • Public post-mortem within 7 days of resolution for any incident of customer-visible scope.

13. Vulnerability disclosure

Report security issues to security@cognilead.ai. PGP key fingerprint (placeholder, replace with published key before GA):

-----BEGIN PGP PUBLIC KEY BLOCK-----
Fingerprint: XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX
(Replace with the production key before GA. Until then, encrypted reports
 may be sent using the maintainer's published personal key on keys.openpgp.org.)
-----END PGP PUBLIC KEY BLOCK-----
  • We follow a 90-day coordinated disclosure timeline. We will negotiate an extension only when a fix demonstrably requires it.
  • We do not pursue legal action against good-faith security researchers who comply with this policy.
  • Responsible reporters who request public credit are listed in our security acknowledgments after the issue is resolved.