CognAgentAI

Security Policy

Last updated: August 24, 2025

Legal Documents

Terms of ServicePrivacy PolicyCookie PolicyCookie SettingsGDPR ComplianceAnalytics Opt-OutDo Not Sell My InfoSecurity PolicyRefund PolicyDigital DeliveryAccessibility Statement

1. Our Security Commitment

At CognAgentAI, security is not an afterthought—it's built into every aspect of our service. We understand that you trust us with sensitive business and customer data, and we take that responsibility seriously.

This Security Policy outlines the comprehensive measures we've implemented to protect your data, our systems, and your privacy. We follow industry best practices and comply with relevant security standards and regulations.

2. Data Encryption

Encryption in Transit

All data transmitted to and from CognAgentAI is encrypted using industry-standard protocols:

  • TLS 1.3: Latest encryption standard for web communications
  • Perfect Forward Secrecy: Each session uses unique encryption keys
  • HTTPS Everywhere: All connections are encrypted by default
  • API Security: All API communications use encrypted channels
  • SMS Encryption: Messages encrypted during transmission via Twilio

Encryption at Rest

Your data is encrypted when stored in our databases and file systems:

  • AES-256 Encryption: Industry-standard encryption for stored data
  • Key Management: Encryption keys stored separately from data
  • Database Encryption: Full database encryption via Supabase
  • File Storage: Encrypted storage for documents and media
  • Backup Encryption: All backups are encrypted end-to-end

3. Access Controls

User Access

  • Multi-factor authentication (MFA) required
  • Strong password requirements enforced
  • Session timeout after inactivity
  • Account lockout after failed attempts
  • Password reset security protocols
  • OAuth integration for secure login

Administrative Access

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Administrative actions logged
  • Separate admin authentication
  • Regular access reviews and audits
  • Emergency access procedures

API Security

Authentication

  • JWT tokens with expiration
  • API key authentication
  • OAuth 2.0 support

Rate Limiting

  • Request rate limiting
  • DDoS protection
  • Abuse detection

Validation

  • Input validation
  • SQL injection prevention
  • XSS protection

4. Infrastructure Security

Cloud Security

Our infrastructure is hosted on secure, enterprise-grade cloud platforms:

Hosting Providers

  • Vercel: SOC 2 Type II certified
  • Supabase: ISO 27001 certified
  • AWS: Multiple security certifications
  • Edge Computing: Global CDN security

Security Features

  • 24/7 security monitoring
  • Automated threat detection
  • Network isolation and firewalls
  • Regular security updates

Network Security

Perimeter Defense

  • Web Application Firewall (WAF)
  • DDoS protection
  • IP allowlisting/blocklisting
  • Geographic restrictions

Network Monitoring

  • Intrusion detection systems
  • Network traffic analysis
  • Anomaly detection
  • Real-time alerting

Secure Architecture

  • Network segmentation
  • Zero-trust architecture
  • VPN access for staff
  • Secure API gateways

5. Application Security

Secure Development

  • Secure Coding: OWASP secure coding practices
  • Code Reviews: Mandatory peer review process
  • Static Analysis: Automated code security scanning
  • Dependency Scanning: Third-party library vulnerability checks
  • Security Testing: Penetration testing and vulnerability assessments

Runtime Protection

  • Input Validation: All user inputs validated and sanitized
  • Output Encoding: Proper encoding to prevent XSS
  • CSRF Protection: Cross-site request forgery prevention
  • SQL Injection: Parameterized queries and ORM protection
  • Security Headers: Comprehensive HTTP security headers
Security HeaderPurposeStatus
Content-Security-PolicyPrevent XSS and code injection✓ Enabled
Strict-Transport-SecurityEnforce HTTPS connections✓ Enabled
X-Frame-OptionsPrevent clickjacking attacks✓ Enabled
X-Content-Type-OptionsPrevent MIME type confusion✓ Enabled
Referrer-PolicyControl referrer information leakage✓ Enabled

6. Data Protection

Data Classification

We classify data based on sensitivity and apply appropriate protection measures:

Public Data

Marketing materials, public documentation

Protection: Standard web security

Internal Data

User accounts, usage analytics, business data

Protection: Encryption, access controls

Confidential Data

Customer data, call logs, personal information

Protection: Enhanced encryption, strict access controls

Data Retention and Disposal

Retention Policies

  • Customer data: As long as account is active
  • Call logs: 2 years for analytics
  • Payment data: 7 years for compliance
  • Access logs: 1 year for security analysis
  • Backup data: 90 days retention

Secure Disposal

  • Cryptographic erasure for encrypted data
  • Multiple-pass overwrite for storage media
  • Certificate of destruction for hardware
  • Automated deletion processes
  • Audit trails for all disposal activities

7. Monitoring and Incident Response

Security Monitoring

  • 24/7 Monitoring: Continuous security event monitoring
  • SIEM Integration: Security Information and Event Management
  • Anomaly Detection: ML-powered threat detection
  • Alert Systems: Automated incident notification
  • Log Analysis: Comprehensive audit log review
  • Threat Intelligence: External threat feed integration

Incident Response

  • Response Team: Dedicated security incident response team
  • Escalation Procedures: Clear incident escalation paths
  • Communication Plan: Customer and stakeholder notification
  • Forensic Analysis: Root cause analysis and evidence collection
  • Recovery Procedures: Service restoration and data recovery
  • Post-Incident Review: Lessons learned and improvements

Incident Response Timeline

< 15min

Initial Detection & Alert

< 1hr

Assessment & Containment

< 4hrs

Notification & Communication

< 24hrs

Recovery & Resolution

8. Compliance and Certifications

Current Compliance

  • GDPR - General Data Protection Regulation
  • CCPA - California Consumer Privacy Act
  • TCPA - Telephone Consumer Protection Act
  • SOC 2 Type II - In progress

Security Standards

  • OWASP - Top 10 security practices
  • NIST - Cybersecurity Framework
  • ISO 27001 - Information Security Management
  • PCI DSS - Payment Card Industry standards

9. Third-Party Security

Service ProviderService TypeSecurity CertificationsData Processing
SupabaseDatabase & AuthenticationISO 27001, SOC 2 Type IIEU (Frankfurt)
TwilioSMS CommunicationsSOC 2 Type II, ISO 27001US (with DPA)
StripePayment ProcessingPCI DSS Level 1, SOC 2US/EU (with SCCs)
VercelApplication HostingSOC 2 Type IIGlobal (with DPA)
OpenAIAI ProcessingSOC 2 Type IIUS (no training data)

Vendor Security Requirements

All third-party vendors must meet our security requirements:

  • Security certifications (SOC 2, ISO 27001)
  • Data processing agreements (DPAs)
  • Regular security assessments
  • Incident notification requirements
  • Encryption and access controls
  • Business continuity planning
  • Regular vulnerability management
  • Compliance with applicable regulations

10. Security Training and Awareness

Employee Training

  • Mandatory security awareness training
  • Phishing simulation exercises
  • Secure coding practice workshops
  • Data privacy and compliance training
  • Incident response drills
  • Regular security updates and briefings

Customer Education

  • Security best practices documentation
  • Account security recommendations
  • Phishing and social engineering awareness
  • Strong password and MFA guidance
  • Privacy settings and controls
  • Incident reporting procedures

11. Vulnerability Management

Continuous Security Testing

Automated Testing

  • Daily vulnerability scans
  • Static code analysis
  • Dynamic application testing
  • Dependency vulnerability checks

Manual Testing

  • Quarterly penetration testing
  • Security code reviews
  • Architecture security reviews
  • Social engineering assessments

Bug Bounty Program

  • Responsible disclosure policy
  • External security researchers
  • Coordinated vulnerability disclosure
  • Security researcher hall of fame

Patch Management

Critical Vulnerabilities

  • Detection: Within 24 hours
  • Assessment: Within 48 hours
  • Patching: Within 72 hours
  • Verification: Within 96 hours

Regular Updates

  • OS Updates: Monthly scheduled updates
  • Application Updates: Bi-weekly releases
  • Dependency Updates: Weekly automated checks
  • Security Updates: As soon as available

12. Reporting Security Issues

For Security Researchers

We welcome responsible disclosure of security vulnerabilities:

Email: security@cognagentai.com

PGP Key: Available on request

Response Time: 24 hours acknowledgment

Scope: CognAgentAI owned domains and applications

Reward: Recognition and potential bounty

For Customers

If you discover a potential security issue:

Email: support@cognagentai.com

Subject: "Security Concern"

Phone: 1-800-COGNAGENT

Response Time: 2 hours during business hours

Escalation: 24/7 for critical issues

What to Include in Reports

  • Detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Screenshots or proof of concept
  • Your contact information
  • Timeline for disclosure
  • Any mitigating factors
  • Suggested remediation steps

13. Contact Information

Security Team

Email: security@cognagentai.com

Phone: 1-800-COGNAGENT (Emergency)

Response Time: 24 hours maximum

Escalation: CISO notification for critical issues

Business Address

CognAgentAI Security Office

123 Innovation Drive, Suite 400

Austin, TX 78701

United States

Questions About Our Policies?

If you have any questions about these legal documents, please don't hesitate to contact us.

Contact Uslegal@cognagentai.com