Back

Legal

Security

How we protect CogniCloud's infrastructure and your data.

Last updated: 27 February 2026

1. Our Commitment

Security is a first-class engineering concern at CogniCloud. We adopt a defence-in-depth approach — layering controls at the perimeter, application, data, and operational levels — and we review our posture continuously as our platform evolves.

This page describes our current security practices. Because CogniCloud's platform is under active development, this document will be updated regularly as we add controls, obtain certifications, and expand our operational security programme.

2. Infrastructure Security

2.1 Physical security

All compute and storage infrastructure is hosted in Tier III+ datacentres operated by established hyperscalers and co-location providers. Physical access is controlled via multi-factor authentication, biometric access controls, CCTV, and 24/7 on-site security. CogniCloud staff do not have direct physical access to underlying hardware.

2.2 High availability & resilience

Production systems are designed to eliminate single points of failure. We use redundant power supplies, network uplinks, and hardware components across geographically separated availability zones. Automated failover ensures continuous service availability.

2.3 Penetration testing

We conduct regular penetration tests against our external attack surface and will commission independent third-party assessments before launching production services to customers. Results are remediated according to risk severity within defined SLAs.

3. Data Protection

Encryption in transitAll traffic between clients and CogniCloud is encrypted using TLS 1.3. Older protocol versions are rejected.
Encryption at restAll customer data and backups are encrypted using AES-256 at rest.
Key managementEncryption keys are managed through a dedicated key management service with hardware security module (HSM) backing.
Data isolationEach customer's data is logically isolated. Strict access controls prevent cross-tenant data leakage at every layer of the stack.
Backup & recoveryData is backed up automatically at configurable intervals. Backups are encrypted and stored in geographically separate regions.

4. Access Controls

4.1 Principle of least privilege

CogniCloud staff are granted the minimum level of access required to perform their roles. Access rights are reviewed quarterly and revoked immediately upon role change or departure.

4.2 Multi-factor authentication

All internal systems require multi-factor authentication (MFA). We do not permit password-only access to production environments, administrative consoles, or customer data systems.

4.3 Privileged access management

Privileged access to production infrastructure is managed through a just-in-time (JIT) access system. All privileged sessions are logged and reviewed. No standing privileged access exists in production.

4.4 Audit logging

All administrative actions — including API calls, configuration changes, and data access — are logged with full metadata (user, timestamp, IP address, action). Logs are tamper-resistant and retained for a minimum of 12 months.

5. Network Security

  • Network perimeter protected by next-generation firewalls and DDoS mitigation (Cloudflare)
  • All internal service-to-service communication is encrypted using mutual TLS (mTLS)
  • Network segmentation isolates customer workloads from each other and from internal management planes
  • Intrusion detection systems (IDS) monitor for anomalous traffic patterns 24/7
  • Egress filtering prevents unauthorised data exfiltration from production environments
  • VPN required for all remote administrative access

6. Secure Development Lifecycle

Security is integrated throughout our software development lifecycle (SDLC):

  • Static application security testing (SAST) on every pull request
  • Dependency vulnerability scanning using automated tooling; critical vulnerabilities block deployment
  • Security-focused code review for all changes to authentication, authorisation, and data-handling code
  • Containerised workloads built from minimal base images; no unnecessary packages or services
  • Infrastructure-as-code (IaC) reviewed for security misconfigurations before deployment
  • Secrets management via a dedicated vault — no secrets in source code, environment files, or logs

7. Compliance & Certifications

UK GDPR / Data Protection Act 2018Compliant — see our Privacy Policy for details
SOC 2 Type IIIn progress — targeting completion before general availability
ISO 27001Planned — formal certification programme to commence with Series A
HIPAABusiness Associate Agreements (BAAs) available on request for applicable workloads
PCI-DSSNot currently in scope — we do not process payment card data

8. Responsible Disclosure

We welcome security researchers who responsibly disclose vulnerabilities. We commit to responding to all valid reports within 5 business days and to resolving critical vulnerabilities within 30 days.

If you believe you have found a security vulnerability in CogniCloud's systems or website, please email security@cognicloud.net with a detailed description of the issue, steps to reproduce, and any supporting evidence (screenshots, proof-of-concept code).

Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it. We ask for a minimum of 90 days before public disclosure. We will not take legal action against researchers who discover and disclose vulnerabilities in good faith in accordance with this policy.

In scope

  • cognicloud.net (main website)
  • api.cognicloud.net (API, when launched)
  • Any subdomain under cognicloud.net

Out of scope

  • Denial-of-service attacks
  • Social engineering of CogniCloud staff
  • Physical attacks against datacentre infrastructure
  • Vulnerabilities in third-party services we rely on (report these directly to the vendor)
  • Automated vulnerability scanning without prior written permission

9. Incident Response

CogniCloud maintains a documented incident response plan that is tested regularly:

  • Security events are detected via automated alerting and human monitoring 24/7
  • Incidents are classified by severity (P0–P4) with defined escalation and remediation SLAs
  • Customer-impacting incidents are communicated via our status page (status.cognicloud.net, coming soon) and direct email notification where required
  • Data breaches are reported to the ICO within 72 hours where required under UK GDPR
  • Post-incident reviews (PIRs) are conducted for all P0 and P1 incidents; findings are used to improve controls

10. Security Contact

For security enquiries and vulnerability disclosures:

Emailsecurity@cognicloud.net
ResponseWithin 5 business days for valid reports
PGP keyAvailable on request — email us first

For general enquiries unrelated to security vulnerabilities, please use our contact form.