Trust Center

How we keep your data safe

Cognituring is built around a clear principle: the platform our customers trust to evaluate AI safety should hold itself to the same standard. This page is the public inventory of the controls we currently operate and the frameworks we map our work against — kept current, with links to live evidence wherever it exists. Operated by Cogniron Technology Solutions Private Limited.

Last updated: 28 May 2026

Live security scans

These badges link to live third-party scans of app.cognituring.com. Click any of them to verify the current grade yourself.

Recognitions

DPIIT Recognized Startup — Government of India

Cogniron Technology Solutions Pvt Ltd is recognised as a startup by the Department for Promotion of Industry and Internal Trade (DPIIT), Ministry of Commerce & Industry, under the Startup India programme.

Certificate DIPP226471

Valid through 22-09-2030

startupindia.gov.in →

Application & transport security

  • Live

    TLS 1.2+ enforced everywhere

    All inbound traffic terminates at Amazon CloudFront with modern cipher suites; HSTS (max-age 1 year, includeSubDomains) is set on every response. Plaintext HTTP is upgraded automatically.

  • Live

    Per-request Content-Security-Policy with nonces

    Every HTML page carries a fresh script nonce; 'strict-dynamic' constrains transitive script loading. CSP is enforced (not report-only) at the public origin.

  • Live

    Strict response headers

    X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and a restrictive Permissions-Policy are set by the shared nginx security-headers include so every upstream surface inherits them.

  • Live

    Upload validation

    Files are validated by magic-byte sniffing, extension/content cross-checks, sanitised filenames, macro scanning on Office docs, JavaScript-action rejection on PDFs, zip-bomb detection, and formula-injection protection on CSV exports.

  • Live

    Open-redirect protection

    Post-sign-in redirect targets are validated against a same-origin allow-list; any off-origin target is rejected.

Identity, access, and audit

  • Live

    Managed identity provider

    Authentication is handled by a managed identity provider with industry-standard password hashing. Sessions issue short-lived access tokens and longer-lived refresh tokens; tokens are validated on every API request.

  • Live

    Role-based access control

    Two-tier role-based access (platform and per-organisation) is enforced on every endpoint that mutates data, with privileged actions written to an append-only audit log.

  • Live

    Audit trail for privileged actions

    Role changes, invitations, member removals, credit grants, and org-level configuration changes are recorded with actor, target, timestamp, and request context. Available to platform administrators via the audit console.

Data protection

  • Live

    Multi-tenant isolation

    Tenant data is partitioned by organisation and isolation is enforced at the database and application layer on every query.

  • Live

    PII redaction service

    A dedicated PII redaction service (built on Microsoft Presidio) detects and masks names, emails, phone numbers, SSNs, and similar identifiers in flagged data flows.

  • Live

    Encrypted secret management

    All sensitive credentials (JWT signing keys, database passwords, third-party API keys) load via a centralised secrets loader backed by AWS Secrets Manager. No long-lived secrets ship in code or configuration files.

  • Live

    Encryption at rest

    Managed RDS Postgres uses AWS-default at-rest encryption. S3 buckets used for archival use server-side encryption with AWS-managed keys.

AI assurance

  • Live

    Retrieval-augmented grounding on every AI call

    Each AI invocation that produces customer-facing claims runs through a RAG grounding helper that retrieves source evidence from the customer's own project documents and records the retrieval trail for audit.

  • Live

    Standards-mapped evaluation suite

    Evaluations map findings to ISO/IEC 42001:2023 Annex A controls, NIST AI RMF functions, EU AI Act articles, and IEEE 7000/7001/7003 — citations verified verbatim against the published primary sources.

  • Live

    No training on customer prompts

    AI subprocessors are invoked through enterprise / paid-API tiers where training on submitted content is contractually prohibited. See /subprocessors for per-provider scope.

  • Live

    Independence and safety guards

    Targets that cannot prove independence from the judging model collapse to an explicit 'unknown' state with a visible warning, rather than silently passing.

Compliance frameworks

We map our controls to the frameworks below. Mapping is not the same as certification, and we say so explicitly — the table distinguishes the two.

FrameworkStatusNotes
ISO/IEC 42001:2023Controls mapped, verifiedAnnex A control citations verified verbatim against the official standard text.
NIST AI Risk Management Framework 1.0Controls mapped, verifiedFunctions and categories cross-referenced to the official publication.
EU AI Act (Reg. 2024/1689)Articles mapped, verifiedArticle numbers and titles verified against EUR-Lex.
IEEE 7000 / 7001 / 7003Controls mapped, verifiedYear, clause IDs, and descriptions updated to the published standards.
GDPR / UK GDPR / CCPAAlignedData subject rights, retention schedules, and DPA workflow documented at /privacy and /dpa.

Operational security

  • Live

    Hardened deployment surface

    Public traffic terminates at CloudFront; application servers and the database live in a private VPC with no public ingress. Inbound ports are restricted to TLS only.

  • Live

    Database backups

    Managed Postgres automated backups are enabled with a 7-day retention window; backups inherit encryption-at-rest.

Privacy resources

Responsible disclosure

If you believe you have found a security vulnerability in the Cognituring platform, write to support@cogniron.com. We acknowledge legitimate reports within two business days and do not pursue action against good-faith researchers who follow standard responsible-disclosure norms.