Security

Security at CognyFlow

Enterprise-grade security by default. Your data, keys, and infrastructure are protected at every layer.

AES-256-GCM Encryption

All API keys and sensitive credentials are encrypted at rest using AES-256-GCM with per-user derived keys via PBKDF2. Keys are never stored in plaintext.

  • Per-user encryption key derivation
  • Authenticated encryption with associated data
  • Keys rotated automatically every 90 days

JWT Session Tokens

Authentication uses HS256-signed JSON Web Tokens with automatic expiration and refresh. Tokens are stored in HttpOnly, Secure, SameSite=Strict cookies.

  • 7-day automatic expiration
  • HttpOnly + Secure + SameSite=Strict
  • No sensitive data in token payload

Edge-Native Proxy Protection

The proxy middleware runs at the edge to intercept and validate every request before it reaches your application. Unauthorized requests are rejected with zero latency.

  • Pre-application request validation
  • Route-level access control
  • Automatic CSRF protection

Zero-Trust Architecture

CognyFlow operates on a zero-trust model — every request is authenticated, every action is authorized, and every API call is logged.

  • No implicit trust between services
  • Request-level authentication
  • Complete audit trail

No Data Logging

We never log, cache, or store your prompts, responses, or API keys in plaintext. All sensitive data passes through encrypted channels.

  • Prompts never stored in logs
  • API keys masked in all outputs
  • TLS 1.3 in transit

SOC2 Type II Compliance

CognyFlow infrastructure follows SOC2 Type II security controls for availability, confidentiality, and processing integrity.

  • Annual third-party audits
  • Continuous monitoring & alerting
  • Incident response playbooks

Compliance & Certifications

Our commitment to industry-standard security frameworks.

FrameworkStatus
SOC2 Type II
Certified
GDPR
Compliant
CCPA
Compliant
ISO 27001
In Progress
HIPAA
Planned

Found a vulnerability?

We take security seriously. If you've discovered a vulnerability, please report it responsibly.