Security and compliance

Trust centre

CognoMedia is built on a foundation of compliance, security, and operational reliability. We maintain rigorous standards across data protection, infrastructure security, and platform availability so you can integrate with confidence and meet your own regulatory obligations.

ComplianceSecurityReliability

Compliance

We operate within established regulatory frameworks and provide the documentation, agreements, and tooling our customers need to demonstrate their own compliance.

GDPR compliance
  • Full compliance with the EU General Data Protection Regulation, including lawful basis documentation for all processing activities
  • Data subject rights automation for access, rectification, erasure, and portability requests with verified response within 30 days
  • Privacy-by-design architecture with data minimisation, purpose limitation, and storage limitation built into every product feature
Data processing agreements
  • Standard contractual clauses and bespoke DPAs available for all customers, covering sub-processor lists, audit rights, and breach notification obligations
  • Transparent sub-processor registry with advance notification of changes and the right to object
  • Annual review cycle ensuring agreements remain aligned with evolving regulatory requirements
Cross-border transfers
  • EU-approved standard contractual clauses for all international data transfers outside the European Economic Area
  • Transfer impact assessments conducted for each destination country, evaluating legal frameworks and supplementary safeguards
  • Data residency options allowing customers to specify storage within the EU, UK, or other supported regions
Regulatory reporting
  • Automated audit trail generation for all data access, processing, and deletion events with tamper-evident logging
  • Pre-built regulatory report templates for GDPR Article 30 records of processing, DPIA summaries, and breach notifications
  • On-demand compliance dashboards showing real-time status of data processing activities and consent records

Security

Our security architecture protects data at every layer, from encryption and access controls to continuous testing and incident readiness.

Encryption
  • AES-256 encryption at rest for all stored data, including databases, file storage, and backups
  • TLS 1.3 encryption in transit for all API communications, webhook deliveries, and internal service traffic
  • Customer-managed encryption key support (BYOK) for enterprise accounts requiring independent key custody
Access controls
  • Role-based access control with granular permissions across organisations, teams, and individual resources
  • Multi-factor authentication enforced for all user accounts with support for TOTP, hardware keys, and SSO via SAML 2.0
  • Principle of least privilege applied to all internal systems, with just-in-time access for production environments
Penetration testing
  • Annual third-party penetration tests conducted by CREST-accredited security firms covering infrastructure, APIs, and web applications
  • Continuous automated vulnerability scanning across all production services with prioritised remediation SLAs
  • Responsible disclosure programme with defined scope and safe harbour for external security researchers
Incident response
  • Documented incident response plan with defined severity levels, escalation paths, and communication protocols
  • 72-hour breach notification to affected customers and supervisory authorities in compliance with GDPR Article 33
  • Post-incident review process with root cause analysis and remediation tracking published to affected parties

Reliability

Our infrastructure is designed for continuous availability with redundancy, automated failover, and transparent monitoring across every layer of the stack.

Uptime SLAs
  • 99.95% uptime commitment for all production API endpoints, backed by contractual service level agreements
  • Financial credit remedies for any month where availability falls below the committed threshold
  • Transparent uptime reporting via our public status page with historical availability data
Multi-region redundancy
  • Active-active deployment across multiple cloud regions with automatic failover and geographic load balancing
  • Data replication with synchronous writes to ensure zero data loss during regional outages
  • Edge caching and CDN integration for low-latency content delivery across global points of presence
Disaster recovery
  • Recovery time objective (RTO) of under 4 hours and recovery point objective (RPO) of under 1 hour for all critical services
  • Automated daily backups with geo-redundant storage and quarterly restore testing to verify recoverability
  • Documented business continuity plan covering infrastructure, personnel, and communication procedures
Real-time monitoring
  • 24/7 infrastructure monitoring with automated alerting on latency anomalies, error rate spikes, and resource utilisation thresholds
  • Distributed tracing across all microservices for rapid root cause identification and performance analysis
  • Public status page with real-time health indicators, incident updates, and scheduled maintenance notifications

Download trust pack

Request our comprehensive trust pack containing the security whitepaper, SOC 2 Type II report summary, data processing agreement template, sub-processor list, and penetration test executive summary. Available to prospective and current customers under NDA.

Ready to build with CognoMedia

Share your workflow and constraints, we will propose a practical path from pilot to production.