Security

    Last Updated: March, 2026

    At Cogny, protecting your data is fundamental to everything we build. This page describes the security measures we implement across our platform to keep your information safe.

    Encryption

    • In transit: All data is transmitted over TLS (HTTPS). Connections between services within our infrastructure are also encrypted.
    • At rest: Data stored in our database (Supabase) is encrypted at rest. Sensitive credentials such as OAuth tokens are stored in Supabase Vault with additional encryption.

    Authentication & Authorization

    • User authentication: Cogny uses Supabase Auth with support for email/password and social login providers.
    • OAuth integrations: Third-party platform connections (Google Ads, Meta Ads, Shopify, etc.) use OAuth 2.0 with HMAC signature verification on callbacks and webhooks.
    • Row-Level Security: All database tables are protected by Supabase Row-Level Security (RLS) policies, ensuring users can only access data belonging to their own warehouses.

    Token & Credential Storage

    OAuth access tokens and refresh tokens are stored in Supabase Vault, an encrypted secrets manager built into our database layer. Tokens are never written to application logs, client-side storage, or source code.

    Data Isolation

    Each customer workspace ("warehouse") is logically isolated. RLS policies enforce that API requests, database queries, and AI agent operations are scoped to the authenticated user's warehouse. Cross-tenant data access is not possible at the database level.

    GDPR Compliance

    • Mandatory GDPR webhook endpoints are implemented for all third-party integrations that require them (e.g., Shopify customer data requests, customer data erasure, and shop data erasure).
    • When a user disconnects a third-party integration or uninstalls an app, associated OAuth credentials are automatically deleted from our vault.
    • Users can request account deletion and warehouse deletion, both of which follow a scheduled process with confirmation and full data removal.

    Infrastructure

    • Compute: Application workloads run on Google Kubernetes Engine (GKE) in the europe-west1 region.
    • Database: Supabase (PostgreSQL) with automated backups and point-in-time recovery.
    • CDN & DDoS protection: Cloudflare provides edge caching, DDoS mitigation, and WAF (Web Application Firewall) in front of all public endpoints.
    • CI/CD: Automated builds and deployments via Google Cloud Build with container image scanning.

    Monitoring & Incident Response

    Application errors, tool execution failures, and security-relevant events are monitored in real time with alerts sent to our engineering team via Slack. We review and respond to security incidents promptly.

    Contact

    If you have questions about our security practices or want to report a security concern, contact us at privacy@cogny.com.

    Cogny AB, Peter Myndes Backe 16, 118 46 Stockholm, Sweden