Security

    Last Updated: March, 2026

    At Cogny, protecting your data is fundamental to everything we build. This page describes the security measures we implement across our platform to keep your information safe.

    For vendor & security reviews

    Cogny Security Brief

    A single security overview for your IT & Security team's vendor file: who Cogny is, how the platform handles, stores, and retains your data, our sub-processors, our AI-training posture, and the security of the MCP connector. Everything a vendor or connector review needs in one document.

    Encryption

    • In transit: All data is transmitted over TLS (HTTPS). Connections between services within our infrastructure are also encrypted.
    • At rest: Data stored in our database (Supabase) is encrypted at rest. Sensitive credentials such as OAuth tokens are stored in Supabase Vault with additional encryption.

    Authentication & Authorization

    • User authentication: Cogny uses Supabase Auth with support for email/password and social login providers.
    • OAuth integrations: Third-party platform connections (Google Ads, Meta Ads, Shopify, etc.) use OAuth 2.0 with HMAC signature verification on callbacks and webhooks.
    • Row-Level Security: All database tables are protected by Supabase Row-Level Security (RLS) policies, ensuring users can only access data belonging to their own warehouses.

    Token & Credential Storage

    OAuth access tokens and refresh tokens are stored in Supabase Vault, an encrypted secrets manager built into our database layer. Tokens are never written to application logs, client-side storage, or source code.

    Data Isolation

    Each customer workspace ("warehouse") is logically isolated. RLS policies enforce that API requests, database queries, and AI agent operations are scoped to the authenticated user's warehouse. Cross-tenant data access is not possible at the database level.

    GDPR Compliance

    • Mandatory GDPR webhook endpoints are implemented for all third-party integrations that require them (e.g., Shopify customer data requests, customer data erasure, and shop data erasure).
    • When a user disconnects a third-party integration, associated OAuth credentials are automatically deleted from our vault.
    • Users can request account deletion and warehouse deletion, both of which follow a scheduled process with confirmation and full data removal.

    Infrastructure

    • Compute: Application workloads run on Google Kubernetes Engine (GKE) in the europe-west1 region.
    • Database: Supabase (PostgreSQL) with automated backups and point-in-time recovery.
    • CDN & DDoS protection: Cloudflare provides edge caching, DDoS mitigation, and WAF (Web Application Firewall) in front of all public endpoints.
    • CI/CD: Automated builds and deployments via Google Cloud Build with container image scanning.

    Sub-processors

    Cogny engages the following sub-processors to deliver the service. This list is kept up to date here; the contractual terms governing sub-processors are set out in our Data Processing Agreement.

    Google Cloud (Google LLC / Google Cloud EMEA Ltd.)
    Compute (GKE), BigQuery, object storage, build & deploy, Google-integration OAuth.
    europe-west1 (Belgium)
    Supabase, Inc.
    Managed PostgreSQL, authentication, encrypted secret vault, point-in-time recovery.
    AWS eu-north-1 (Stockholm)
    Cloudflare, Inc.
    Edge CDN, WAF, DDoS mitigation, TLS termination. No personal data persisted at the edge.
    Global edge
    Anthropic PBC
    LLM inference (Claude) for AI reports and chat. Does not train on customer content submitted via the API.
    Global routing
    OpenAI, L.L.C.
    LLM inference (GPT models) for AI reports and chat. Does not train on customer content submitted via the API.
    US + SCCs
    Berget AI
    EU-hosted AI model inference (GDPR-compliant EU AI infrastructure).
    EU (Sweden)
    Brave Software, Inc. (Brave Search)
    Web search, news, and rank-check data for AI research tools.
    US + SCCs
    Stripe Payments Europe, Ltd.
    Subscription billing and payment processing.
    EU + SCCs
    Resend, Inc.
    Transactional email (report and auth emails).
    SCCs
    Slack Technologies, LLC
    Internal alerting and optional customer notifications.
    SCCs
    ElevenLabs Inc.
    Optional text-to-speech; only invoked when audio features are used.
    SCCs

    Monitoring & Incident Response

    Application errors, tool execution failures, and security-relevant events are monitored in real time with alerts sent to our engineering team via Slack. We review and respond to security incidents promptly.

    Contact

    If you have questions about our security practices or want to report a security concern, contact us at privacy@cogny.com.

    Cogny AB, Peter Myndes Backe 16, 118 46 Stockholm, Sweden