Security is one of our top priorities and this page outlines best practices and means of getting in touch with us securely.
SSL and TLS
All Cognito endpoints require TLS. TLS is enforced using HSTS. SSL is not allowed on any endpoint and TLS 1.2 is preferred. Internal Cognito requests all require TLS between application components and data providers.
Cognito encrypts user Social Security Numbers using “envelope encryption.” For example, when we encrypt an SSN we generate a 32 byte random key, a 16 byte initialization vector, and an “authenticity header” which is derived from the resource type and id (for example, if this SSN a primary key of 42, the header would be “ssn-42”).
The SSN plaintext, random key, initialization vector, and authenticity header are encrypted using AES 256 in GCM mode using AEAD. The encryption key is encrypted using a 4096 bit RSA public key. The encrypted key, initialization vector, and ciphertext are persisted to the database.
We accept any and all security disclosures through firstname.lastname@example.org. If you would like to encrypt your message, we provide a PGP key below with which to do that. Please contact us if you would like to be invited to our HackerOne bug bounty program.
Cognito’s live data servers are contained in a virtual private cloud (VPC). Applications on the Heroku platform run within their own isolated environment and cannot interact with other applications or areas of the system to prevent security and stability issues. These self-contained environments isolate processes, memory, and the file system while host-based firewalls restrict applications from establishing local network connections.
Cognito is automatically backed up daily on secure, access controlled, and redundant storage.
We automatically run patch alerting systems for our external dependencies to keep up-to-date with potential vulnerabilities in our dependencies.
All Cognito employees are required to receive an extensive background check regardless of sensitive data access. Employees are required to partake in quarterly security training to ensure that continued best practices are followed.
We use PGP for secure email communications. Below you can find our public key along with additional information allowing you to verify messages from us as well as encrypt messages for us.