Jump to guide


Security is one of our top priorities and this page outlines best practices and means of getting in touch with us securely.


All Cognito endpoints require TLS. TLS is enforced using HSTS. SSL is not allowed on any endpoint and TLS 1.2 is preferred.


We receive occasional white box security audits. If you would like to see a copy of our latest report, please contact support.


We accept any and all security disclosures through security@cognitohq.com. If you would like to encrypt your message, we provide a PGP key below with which to do that. We offer a bug bounty program through Cobalt.

Server Infrastructure

Our servers are hosted with Heroku and AWS using state of the art at-rest encryption and staff security procedures.

PGP Communication

We use PGP for secure email communications. Below you can find our public key along with additional information allowing you to verify messages from us as well as encrypt messages for us.

Key type RSA
Key length 4,096
Fingerprint DC61 8E96 0E24 258A 6583 4274 83D9 7AE0 CEE2 96AD
Email security@cognitohq.com

Download our public key 3KB ASC file - security@cognitohq.com