Trust & Security

Security is not a feature — it's the foundation.

Cognaxa's security starts at the database layer with PostgreSQL Row-Level Security and extends through every layer of the stack. Here's how we protect your institution's data.

Download security artefacts → Contact our Security Team →

Compliance & Certifications

Third-party verified. Independently audited.

🛡️

SOC 2 Type II

Achieved — Mar 2026

Independently audited by a third-party firm covering the Security, Availability, and Confidentiality trust service criteria. Report available to enterprise customers and prospects under NDA.

Request report →

🇪🇺

GDPR

Compliant

Cognaxa is fully GDPR-compliant. We offer Data Processing Agreements (DPAs) to all customers. Regional data residency (EU/APAC) is available via dedicated infrastructure deployments.

Get DPA template →

📋

ISO 27001

In progress — Q4 2026

Our Information Security Management System (ISMS) is aligned with ISO 27001 controls. Formal certification is in progress, targeted Q4 2026.

Statement of Applicability →

🏥

HIPAA Ready

Available on Enterprise

Cognaxa supports HIPAA-aligned deployments for health education institutions. Business Associate Agreements (BAAs) are available on Enterprise plans.

Request BAA →

How We Protect Your Data

Six layers of defense — from the query planner to the network edge.

Row-Level Security at the Database

Every query runs through PostgreSQL Row-Level Security policies enforced at the query planner — not the application layer. A bug in middleware cannot expose tenant data because the query planner physically prevents it before a byte crosses the wire.

Native AI Proctoring — No Third-Party iFrames

Our proctoring engine is a first-class subsystem built into Cognaxa, not a third-party iframe. This means one SLA, one support channel, and no "the vendor is down" excuses on exam day.

Access Control & Identity

Three-tier RBAC combined with TOTP 2FA. Admins cannot access data outside their tenant boundary. Organization-wide MFA enforcement and managed SSO are roadmapped for Enterprise deployments.

Type-Safe API Boundaries (Zod)

Request bodies, params, and query strings are validated against strict Zod schemas before reaching business logic, and all database access uses parameterized queries. Together, these two layers shut out the common injection vectors.

Activity Audit Logging

Key tenant and learner actions are captured in an activity log attached to the user and tenant. A richer append-only audit trail spanning every admin action, role change, and exam event — plus outbound SIEM streaming — is on the Enterprise roadmap.

Rate Limiting & Security Headers

Application-layer request throttling caps abusive traffic per client IP. Secure HTTP headers (X-Frame-Options, X-Content-Type-Options and related defaults) are enforced via Helmet; a tailored Content Security Policy and HSTS rollout are in progress. Penetration testing is conducted annually by an independent firm.

Responsible Disclosure

Found a security issue? We take vulnerability reports seriously and will respond within 24 hours. Please do not disclose publicly until we've had the opportunity to remediate.

security@genfinish.com →