Security at CognyFlow
Enterprise-grade security by default. Your data, keys, and infrastructure are protected at every layer.
AES-256-GCM Encryption
All API keys and sensitive credentials are encrypted at rest using AES-256-GCM with per-user derived keys via PBKDF2. Keys are never stored in plaintext.
- Per-user encryption key derivation
- Authenticated encryption with associated data
- Keys rotated automatically every 90 days
JWT Session Tokens
Authentication uses HS256-signed JSON Web Tokens with automatic expiration and refresh. Tokens are stored in HttpOnly, Secure, SameSite=Strict cookies.
- 7-day automatic expiration
- HttpOnly + Secure + SameSite=Strict
- No sensitive data in token payload
Edge-Native Proxy Protection
The proxy middleware runs at the edge to intercept and validate every request before it reaches your application. Unauthorized requests are rejected with zero latency.
- Pre-application request validation
- Route-level access control
- Automatic CSRF protection
Zero-Trust Architecture
CognyFlow operates on a zero-trust model — every request is authenticated, every action is authorized, and every API call is logged.
- No implicit trust between services
- Request-level authentication
- Complete audit trail
No Data Logging
We never log, cache, or store your prompts, responses, or API keys in plaintext. All sensitive data passes through encrypted channels.
- Prompts never stored in logs
- API keys masked in all outputs
- TLS 1.3 in transit
SOC2 Type II Compliance
CognyFlow infrastructure follows SOC2 Type II security controls for availability, confidentiality, and processing integrity.
- Annual third-party audits
- Continuous monitoring & alerting
- Incident response playbooks
Compliance & Certifications
Our commitment to industry-standard security frameworks.
Found a vulnerability?
We take security seriously. If you've discovered a vulnerability, please report it responsibly.