Trust Center
How we keep your data safe
Cognituring is built around a clear principle: the platform our customers trust to evaluate AI safety should hold itself to the same standard. This page is the public inventory of the controls we currently operate and the frameworks we map our work against — kept current, with links to live evidence wherever it exists. Operated by Cogniron Technology Solutions Private Limited.
Last updated: 28 May 2026
Live security scans
These badges link to live third-party scans of app.cognituring.com. Click any of them to verify the current grade yourself.
Recognitions
DPIIT Recognized Startup — Government of India
Cogniron Technology Solutions Pvt Ltd is recognised as a startup by the Department for Promotion of Industry and Internal Trade (DPIIT), Ministry of Commerce & Industry, under the Startup India programme.
Application & transport security
- Live
TLS 1.2+ enforced everywhere
All inbound traffic terminates at Amazon CloudFront with modern cipher suites; HSTS (max-age 1 year, includeSubDomains) is set on every response. Plaintext HTTP is upgraded automatically.
- Live
Per-request Content-Security-Policy with nonces
Every HTML page carries a fresh script nonce; 'strict-dynamic' constrains transitive script loading. CSP is enforced (not report-only) at the public origin.
- Live
Strict response headers
X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and a restrictive Permissions-Policy are set by the shared nginx security-headers include so every upstream surface inherits them.
- Live
Upload validation
Files are validated by magic-byte sniffing, extension/content cross-checks, sanitised filenames, macro scanning on Office docs, JavaScript-action rejection on PDFs, zip-bomb detection, and formula-injection protection on CSV exports.
- Live
Open-redirect protection
Post-sign-in redirect targets are validated against a same-origin allow-list; any off-origin target is rejected.
Identity, access, and audit
- Live
Managed identity provider
Authentication is handled by a managed identity provider with industry-standard password hashing. Sessions issue short-lived access tokens and longer-lived refresh tokens; tokens are validated on every API request.
- Live
Role-based access control
Two-tier role-based access (platform and per-organisation) is enforced on every endpoint that mutates data, with privileged actions written to an append-only audit log.
- Live
Audit trail for privileged actions
Role changes, invitations, member removals, credit grants, and org-level configuration changes are recorded with actor, target, timestamp, and request context. Available to platform administrators via the audit console.
Data protection
- Live
Multi-tenant isolation
Tenant data is partitioned by organisation and isolation is enforced at the database and application layer on every query.
- Live
PII redaction service
A dedicated PII redaction service (built on Microsoft Presidio) detects and masks names, emails, phone numbers, SSNs, and similar identifiers in flagged data flows.
- Live
Encrypted secret management
All sensitive credentials (JWT signing keys, database passwords, third-party API keys) load via a centralised secrets loader backed by AWS Secrets Manager. No long-lived secrets ship in code or configuration files.
- Live
Encryption at rest
Managed RDS Postgres uses AWS-default at-rest encryption. S3 buckets used for archival use server-side encryption with AWS-managed keys.
AI assurance
- Live
Retrieval-augmented grounding on every AI call
Each AI invocation that produces customer-facing claims runs through a RAG grounding helper that retrieves source evidence from the customer's own project documents and records the retrieval trail for audit.
- Live
Standards-mapped evaluation suite
Evaluations map findings to ISO/IEC 42001:2023 Annex A controls, NIST AI RMF functions, EU AI Act articles, and IEEE 7000/7001/7003 — citations verified verbatim against the published primary sources.
- Live
No training on customer prompts
AI subprocessors are invoked through enterprise / paid-API tiers where training on submitted content is contractually prohibited. See /subprocessors for per-provider scope.
- Live
Independence and safety guards
Targets that cannot prove independence from the judging model collapse to an explicit 'unknown' state with a visible warning, rather than silently passing.
Compliance frameworks
We map our controls to the frameworks below. Mapping is not the same as certification, and we say so explicitly — the table distinguishes the two.
| Framework | Status | Notes |
|---|---|---|
| ISO/IEC 42001:2023 | Controls mapped, verified | Annex A control citations verified verbatim against the official standard text. |
| NIST AI Risk Management Framework 1.0 | Controls mapped, verified | Functions and categories cross-referenced to the official publication. |
| EU AI Act (Reg. 2024/1689) | Articles mapped, verified | Article numbers and titles verified against EUR-Lex. |
| IEEE 7000 / 7001 / 7003 | Controls mapped, verified | Year, clause IDs, and descriptions updated to the published standards. |
| GDPR / UK GDPR / CCPA | Aligned | Data subject rights, retention schedules, and DPA workflow documented at /privacy and /dpa. |
Operational security
- Live
Hardened deployment surface
Public traffic terminates at CloudFront; application servers and the database live in a private VPC with no public ingress. Inbound ports are restricted to TLS only.
- Live
Database backups
Managed Postgres automated backups are enabled with a 7-day retention window; backups inherit encryption-at-rest.
Privacy resources
- Privacy Policy — what we collect, why, how long we keep it, your rights.
- Cookie Policy — every cookie we set and its purpose.
- Subprocessor list — every third-party processor in the data flow.
- Data Processing Agreement — how to put a GDPR Art. 28 DPA in place.
- Terms and Conditions.
Responsible disclosure
If you believe you have found a security vulnerability in the Cognituring platform, write to support@cogniron.com. We acknowledge legitimate reports within two business days and do not pursue action against good-faith researchers who follow standard responsible-disclosure norms.