Platform

Is Cognocient secure? How is my data protected?

Cognocient is built on a metadata-only logging principle. We never store your prompt or response content. Your provider API keys are encrypted at rest. All traffic is encrypted in transit.

Cognocient never stores your prompt or response content — only metadata like token counts, model, cost, latency, and attribution headers. Provider API keys are encrypted at rest with Fernet symmetric encryption, and all traffic is encrypted in transit.

Our security principles

Cognocient is designed around a single non-negotiable: your AI content is not our business to store. The proxy forwards your requests and logs metadata — nothing else. Every security decision follows from this principle.

  • Prompt and response content is never logged or stored.
  • Provider API keys are encrypted at rest before being written to the database.
  • All traffic between your app, Cognocient, and AI providers is encrypted in transit (TLS 1.2+).
  • We collect only what we need to provide the service: model names, token counts, cost, latency, and your attribution headers.

What we log and what we don't

Data typeLogged?Notes
Model name✅ Yese.g. gpt-4o, claude-3-5-sonnet
Token counts✅ Yesprompt_tokens, completion_tokens, total_tokens
Estimated cost✅ YesCalculated from token counts × model pricing
Latency✅ YesTime to first token and total request duration
Attribution headers✅ YesX-Cost-Feature, X-Cost-Department, etc. — only what you send
HTTP status code✅ Yes200, 429, 503, etc.
Prompt content❌ NeverNot read, not stored, not sent to Cognocient
Response content❌ NeverNot read, not stored, not sent to Cognocient
User PII❌ NeverUnless you put it in an attribution header, which we'd log as metadata
Streaming tokens❌ NeverWe stream the response bytes through without storing them

What this means for GDPR and HIPAA

Because Cognocient never stores prompt or response content, we do not become a processor of any personal data, PHI, or proprietary information contained in your AI calls. You can route sensitive healthcare or financial queries through Cognocient without it affecting your GDPR or HIPAA compliance posture.

Encryption at rest

Provider API keys are encrypted using Fernet symmetric encryption before being stored. Fernet is an AEAD scheme (authenticated encryption with additional data) — keys are encrypted, and any tampering with ciphertext is detected before decryption. Keys are only decrypted in memory for the fraction of a millisecond required to forward your request.

Metadata (token counts, costs, attribution headers, latency) is stored in plaintext in a PostgreSQL database hosted in our secure cloud infrastructure. The database is not publicly accessible — it is only reachable from Cognocient's backend application.

User account data (email, hashed passwords) is stored using standard bcrypt hashing (cost factor 12+) for passwords. Plaintext passwords are never stored or logged.

Encryption in transit

All traffic between your application and Cognocient (api.cognocient.com) is encrypted using TLS 1.2 or higher. Cognocient enforces HTTPS-only — all HTTP requests are redirected to HTTPS.

Traffic between Cognocient's proxy and the AI provider (OpenAI, Anthropic, etc.) is also encrypted via the providers' standard TLS endpoints.

API key management

Cognocient proxy keys (prefix sk-cog-) are issued per account. Each key can be:

  • Rotated at any time from Settings → API Keys — the old key is invalidated immediately.
  • Scoped (future feature) — budget limits and provider restrictions per key.
  • Revoked — deleting a key instantly rejects any requests using it.

Your Cognocient proxy key replaces your provider key in your application code. Your provider key is stored encrypted in Cognocient and is never exposed through any API endpoint.

Your provider keys are not recoverable

For security, Cognocient does not expose your stored provider API keys after initial setup. If you lose access to a provider key, you must re-enter it in Settings → Providers. Store your provider keys in a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault) independently of Cognocient.

Compliance status

StandardStatus
SOC 2 Type IIIn progress — audit expected Q4 2026
GDPRCompliant by design — no PII or prompt content stored
HIPAASuitable as a non-covered-entity proxy — we do not store PHI
PCI DSSNot applicable — we do not process payment data
ISO 27001Planned post-SOC 2

Data retention

Data typeRetention period
API call metadata (active account)Rolling 90 days (configurable to 365 days on Enterprise)
API call metadata (after cancellation)30 days, then permanently deleted
Account dataRetained until account deletion + 30 days
Audit logs1 year

You can request deletion of all your data at any time by emailing security@cognocient.com or by deleting your account from Settings → Account.

Infrastructure security

Cognocient runs on a managed cloud platform-as-a-service that provides:

  • Network isolation — backend services are not publicly exposed
  • Automatic TLS for all public endpoints
  • Secret encryption at rest for configuration and credentials
  • Deployment audit logs for all infrastructure changes

The Cognocient database, Redis cache, and background worker processes all run on a private network. None are directly accessible from the public internet.

Session and authentication security

  • Sessions use JWT tokens stored in HTTP-only cookies (not accessible to JavaScript)
  • JWT tokens expire after 24 hours and are re-issued on each active session
  • All authentication failures are rate-limited (5 failed attempts = 15-minute cooldown)
  • Password reset tokens are single-use and expire in 1 hour

Responsible disclosure

If you discover a security vulnerability in Cognocient, please report it to security@cognocient.com. We commit to:

  • Acknowledging your report within 48 hours
  • Providing a status update within 7 days
  • Crediting researchers who report valid vulnerabilities (with consent)
  • Not pursuing legal action against good-faith security researchers

Please do not publish vulnerability details until we have had the opportunity to address them.


Next steps: Budgets & Rate Limits · API Keys · Platform Overview

On this page