Security & Compliance

The protection of your data is our #1 priority. Cogito is committed to delivering a secure platform that not only meets but exceeds the complex security and compliance needs of today’s largest enterprises.

Secure Architecture

Cogito follows a defense-in-depth methodology by building multiple layers of security into the application and infrastructure. We employ several controls including, but not limited to, strong access control using the least access principle; encryption in transmission and at rest; IP filtering; vulnerability management; and system hardening.

Application Security

Cogito takes steps to securely develop and test against security threats to ensure the safety of our customer data at multiple stages of the development process. We use static (SAST) and dynamic (DAST) code scanning tools to proactively find and remediate vulnerabilities and follow the Open Web Application Security Project (OWASP) guidelines. In addition, Cogito employs third-party security experts to perform extensive penetration tests on our application.

Security Program

We have an Information Security Management System in place at Cogito which is designed to continually assess and deal with risk. We implement administrative, technical and physical safeguards to ensure the confidentiality, availability, and integrity of our customer’s data.

Training and Awareness

Cogito has a comprehensive privacy and security training program in place for all employees and contractors that may come in contact with customer data to align with best practices and multiple industry requirements, such as HIPAA. Upon hire, all employees must pass the training and sign and acknowledge a number of policies including our Code of Ethics and Acceptable Use policies prior to being granted any access.

Compliance

Cogito implements the necessary administrative, technical, and physical controls to not only protect your data based on risk, but also to comply with relevant industry specific requirements. We have undergone certification for PCI-DSS and HITRUST by a qualified third-party auditing firm. We include all of our application infrastructure and components into the scope of our compliance activities.

HITRUST

The Health Information Trust Alliance, or HITRUST, is a privately held company located in the United States that, in collaboration with healthcare, technology and information security leaders, has established a Common Security Framework (CSF) that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data. The CSF includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards and is often used to demonstrate compliance with HIPAA.

PCI

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard and set of comprehensive requirements for organizations that handle branded credit cards from the major card schemes. It was developed to support the broad adoption of consistent data security measures on a global basis. Cogito maintains annual certification by a third-party QSA.

Privacy Shield

Cogito has certified compliance with the U.S.-EU and Swiss-U.S. Privacy Shield Frameworks set forth by the U.S. Department of Commerce for the cross-border transfer or European and Swiss personal data. To view Cogito’s Privacy Shield Framework certification, click here. For more information about the EU-U.S. and Swiss-U.S. Privacy Shield Framework, visit www.privacyshield.gov.

GDPR

Effective as of May 25, 2018, the General Data Protection Regulation (“GDPR”) is a new European privacy regulation that aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. Cogito has implemented appropriate technical and security processes to ensure we are compliant with GDPR obligations. Our privacy team is available to ensure we support our clients with their GDPR compliance requirements. For more information, please view our Privacy Statement or email privacy@cogitocorp.com.