A governed AI workspace designed for the security review.
Cogniplane is a governed AI workspace for enterprise teams, and the product only works if the security model holds up under real scrutiny. A CISO, an internal auditor, an enterprise procurement team. They all eventually open the architecture and look for the seams. This page is what they find when they do.
Four things we don't compromise on
Plenty of AI security stories are written after the fact, once a feature has shipped and someone notices. The four below are constraints we put in front of the product, before it was useful for anything. When a new feature has gotten in the way of one of them, we've cut the feature.
The model never sees your credentials
Every tool call goes through a per-turn execution context that carries scoped credentials inside the platform. The model gets tool inputs and outputs. It does not get the tokens, headers, or secrets used to authenticate the call.
Tenants are isolated by architecture
PostgreSQL row-level security scopes every query to the requesting tenant. Each user session runs inside its own sandboxed runtime process. Cross-tenant and cross-session reads are blocked at the database and at the runtime, so the application code does not have to be the thing keeping you safe.
Approvals are enforced in the runtime
When the tenant policy requires approval for a class of action, the runtime pauses and waits for a real decision before the tool executes. The policy lives in the platform, not in the prompt, so a user cannot talk the agent past it.
The audit trail holds up under review
Sessions, tool calls, approval decisions, and PII findings are all recorded. Tool outputs go through secret redaction before anything is written to storage, so when a compliance team pulls the trail later, it isn't full of leaked tokens or keys.
Where each control lives
If you are running a formal review, this is the map. Each row names a control, what it does, and where in the platform it lives.
| Control | Implementation |
|---|---|
| Authentication | WorkOS SSO — SAML, OIDC, Google Workspace, Microsoft Entra. Short-lived JWT access tokens (15 min), encrypted httpOnly refresh cookies, Redis-backed JTI revocation. |
| Authorization | Role-based access control (owner, admin, member) at the API layer. Tenant policy enforces tool allowlists, approval policy, and runtime provider inside the runtime execution layer. |
| Data isolation | PostgreSQL row-level security on every query. Per-session sandboxed runtimes prevent cross-session state access. The application connects through a non-superuser role that is itself subject to RLS. |
| Secret handling | Credentials carried in short-lived per-turn execution contexts, never exposed to the model. Tool results pass through automated secret redaction before audit persistence. Tenant API keys are write-only after save. |
| Approval enforcement | Approval policies set by admins, enforced inside the runtime. Pending approvals carry a wall-clock TTL; expiries unblock the runtime, mark the audit row, and notify the user. |
| PII protection | Chat prompts, uploaded files, and Microsoft imports are scanned before the agent sees them. Tenants choose detect, block, or transform. Findings persisted per message and per artifact for audit. |
| Audit trail | Every session, tool call, approval decision, and PII finding logged with a replayable history. Per-tenant session review surface in the admin UI. SIEM export on the roadmap. |
| Encryption in transit | HTTPS everywhere. The Cloudflare edge terminates TLS for the public site and proxies the backend; backend ALB serves TLS for direct API traffic. Internal hops between services run over the AWS VPC. |
| Encryption at rest | PostgreSQL, Redis, and S3 storage are all encrypted at rest with AWS-managed keys. Sensitive tenant fields like API keys and integration credentials get a second layer of encryption at the application level, using a separate data-encryption secret. A database read on its own never returns the cleartext value. |
| Retention and backup | PostgreSQL runs with point-in-time recovery and automated daily snapshots. Artifact storage versioning is on. Tenant data is retained for the contract term and deleted on offboarding within the timeframe stated in the agreement. |
| Hardening posture | Outbound HTTP requests pass an SSRF deny list (private and reserved ranges). Upload content is verified against the declared MIME type via magic bytes. Download filenames encoded per RFC 5987. Production refuses to start without a non-default JWT signing secret and a separate data-encryption secret. Every deploy runs a high-severity dependency audit and fails on regressions. |
How the platform is hosted
The frontend runs on Cloudflare's edge. The backend, PostgreSQL, Redis, and S3-compatible artifact storage run colocated in a single AWS region behind an Application Load Balancer. Per-session agent runtimes execute in isolated sandboxes (E2B), so untrusted model output cannot reach the host.
If you need stricter data residency, single-tenant isolation, or a specific region, that's a conversation rather than a checkbox. It isn't part of the standard plan, but it's something we've worked through with other teams. Get in touch and we'll tell you what's reasonable.
Need to take this through a formal review?
Email us with what your security team needs. Architecture diagram, data-flow, sub-processor list, SIG or CAIQ responses, a custom questionnaire. We'll send what we already have, and we'll tell you which pieces we don't yet have rather than dressing it up.