The LMS that gives your auditor an easy day.
Cognaxa is SOC 2 Type II certified (achieved March 2026), covering Security, Availability, and Confidentiality. Database-level tenant isolation enforced at the PostgreSQL query planner. 99.98% trailing-12-month uptime. Annual third-party penetration testing. Every artefact your procurement and compliance teams need — available within one business day under NDA.
Each control mapped to a concrete artefact.
We don't ship a security FAQ — we ship the actual policies, audit reports, and architectural controls procurement teams need to sign off.
CC6 — Logical & Physical Access
- Database-level tenant isolation via PostgreSQL Row-Level Security policies, enforced at the query planner.
- Three-tier RBAC (admin / teacher / learner). TOTP 2FA on all admin accounts. SSO via custom OAuth bridge today; managed SAML/OIDC on the Enterprise roadmap.
- Quarterly access reviews with documented approver chain.
CC7 — System Operations & Change Management
- CI/CD pipeline gating: no direct production access; every change reviewed and tested.
- Annual third-party penetration testing.
- Helmet-enforced security headers; tailored CSP and HSTS rollout in progress.
A1 — Availability
- 99.98% trailing-12-month uptime measured across all production tenants.
- Documented incident response with named on-call escalation; engineer-to-customer escalation on Enterprise.
C1 — Confidentiality
- Tenant data encrypted at rest (AWS-managed KMS) and in transit (TLS 1.2+).
- Type-safe API boundaries with Zod schema validation on every request body, params, and query.
- Activity audit logging today; outbound SIEM streaming on the Enterprise roadmap.
Every document your reviewer asks for.
Each item below is available within one business day under NDA. Click through to request — or email security@genfinish.com directly.
Questions security and procurement teams ask first.
Are you SOC 2 Type II?
Yes — achieved March 2026, covering Security, Availability, and Confidentiality trust service criteria. The full report is available to enterprise customers and prospects under NDA via /trust/downloads.
Who is your auditor?
Disclosed to prospects under NDA along with the report. We avoid naming the firm publicly to keep the audit relationship clean.
How is tenant isolation actually enforced?
Every query Cognaxa makes runs through PostgreSQL Row-Level Security policies enforced at the query planner — not the application layer. A bug in middleware cannot expose tenant data because the query planner physically prevents it before a byte crosses the wire. Pacific Institute's SOC 2 auditor specifically called out this control as the cleanest tenant-isolation mechanism they had reviewed that year.
What about ISO 27001?
Our ISMS is aligned to ISO 27001 controls today. Formal certification is in progress, targeted Q4 2026. The Statement of Applicability is available now under NDA.
How fast can we get artefacts in a procurement window?
One business day during EU/US work hours, under NDA. Email security@genfinish.com or use the request flow at /trust/downloads.
Send us your security questionnaire.
Most procurement teams reach for a CAIQ or a custom security questionnaire. Our security team replies with a completed questionnaire and the relevant artefacts within one business day.