Security

Security is one of our top priorities and this page outlines best practices and means of getting in touch with us securely.

SSL and TLS

All Cognito endpoints require TLS. TLS is enforced using HSTS. SSL is not allowed on any endpoint and TLS 1.2 is preferred. Internal Cognito requests all require TLS between application components and data providers.

Data Encryption

Cognito encrypts user Social Security Numbers using “envelope encryption.” For example, when we encrypt an SSN we generate a 32 byte random key, a 16 byte initialization vector, and an “authenticity header” which is derived from the resource type and id (for example, if this SSN a primary key of 42, the header would be “ssn-42”).

The SSN plaintext, random key, initialization vector, and authenticity header are encrypted using AES 256 in GCM mode using AEAD. The encryption key is encrypted using a 4096 bit RSA public key. The encrypted key, initialization vector, and ciphertext are persisted to the database.

Disclosure

We accept any and all security disclosures through security@cognitohq.com. If you would like to encrypt your message, we provide a PGP key below with which to do that. Please contact us if you would like to be invited to our HackerOne bug bounty program.

Server Infrastructure

Our servers are hosted with Heroku and AWS using state of the art at-rest encryption and staff security procedures. Sensitive customer data is encrypted at-rest within our databases.

Cognito’s live data servers are contained in a virtual private cloud (VPC). Applications on the Heroku platform run within their own isolated environment and cannot interact with other applications or areas of the system to prevent security and stability issues. These self-contained environments isolate processes, memory, and the file system while host-based firewalls restrict applications from establishing local network connections.

Backups

Cognito is automatically backed up daily on secure, access controlled, and redundant storage.

Vulnerability Management

We automatically run patch alerting systems for our external dependencies to keep up-to-date with potential vulnerabilities in our dependencies.

Employee Training

All Cognito employees are required to receive an extensive background check regardless of sensitive data access. Employees are required to partake in quarterly security training to ensure that continued best practices are followed.

PGP Communication

We use PGP for secure email communications. Below you can find our public key along with additional information allowing you to verify messages from us as well as encrypt messages for us.

Key typeRSA
Key length4,096
FingerprintF6FCD28D156F39D7CD43F7E84FCDB8656AE77C43
Emailsecurity@cognitohq.com

Download our public key 3KB ASC file – security@cognitohq.com