Security at Cosign AI
Protecting sensitive clinical trial data is foundational to everything we build. We employ enterprise-grade security practices, operate in compliance with HIPAA, and are actively pursuing SOC 2 certification.
HIPAA Compliant
SOC 2 (In Progress)
Pen Tested Annually
BAA Available
A culture built around security
Our security program is woven into how our team operates every day.
Information Security Program
We maintain a formal Information Security Program communicated across the organization. Our program follows the criteria set forth by the SOC 2 framework, and we are actively working toward SOC 2 certification.
Third-Party Audits
Our organization undergoes independent third-party assessments to test our security and compliance controls.
Penetration Testing
We perform an independent third-party penetration test at least annually to ensure that the security posture of our services is uncompromised.
Security Awareness Training
All team members complete employee security awareness training covering industry-standard practices including phishing defense, password management, and data handling.
Roles & Responsibilities
Security roles and responsibilities are clearly defined and documented. All team members are required to review and acknowledge our security policies.
Confidentiality & Background Checks
All team members sign a confidentiality agreement before their first day. We conduct background checks on all new hires in accordance with local laws.
Secure infrastructure, end to end
Our platform runs on enterprise-grade cloud infrastructure with multiple layers of protection.
Cloud Infrastructure
Our compute and application workloads run on Google Cloud Platform (GCP), which maintains robust security certifications. AI inference is powered by Microsoft Azure, and voice processing by Deepgram.
Data Hosting
All patient and trial data is stored in Firebase (Google Cloud Platform) databases located in the United States. Please refer to GCP's security documentation for details on their infrastructure controls.
Encryption at Rest
All databases are encrypted at rest.
Encryption in Transit
All data in motion is encrypted using TLS/SSL. No unencrypted connections are permitted to our services.
Vulnerability Scanning & Monitoring
We perform ongoing vulnerability scanning and actively monitor cloud services for threats, anomalies, and unauthorized access attempts.
Business Continuity & Disaster Recovery
We leverage GCP's managed backup services to reduce data loss risk in the event of hardware failure, and use monitoring services to alert the team to any service disruptions.
Access only for those who need it
We enforce strict authentication and authorization controls across all systems.
Permissions & Authentication
Access to cloud infrastructure and sensitive tools is limited to authorized employees who require it for their role. Where available, we enforce Single Sign-On (SSO), two-factor authentication (2FA), and strong password policies.
Least Privilege Access
We follow the principle of least privilege with respect to identity and access management. Team members have access only to the resources required for their specific role.
Quarterly Access Reviews
We perform quarterly reviews of all team members with access to sensitive systems to ensure permissions remain appropriate and up to date.
Password Requirements
All team members must adhere to minimum password complexity requirements. Company-issued devices use a password manager to maintain strong, unique credentials across all services.
Rigor extends to every partner
We apply the same security standards to our vendors and third-party partners.
Annual Risk Assessments
We conduct at least annual risk assessments to identify potential threats to our systems and data, including considerations for fraud and insider risk.
Vendor Risk Management
Vendor risk is assessed and appropriate security reviews are completed before authorizing any new third-party vendor with access to our systems or data.
Incident Response
We maintain a documented incident response process that includes escalation procedures, rapid mitigation, and timely communication to affected parties.
Questions or concerns?
If you have questions, comments, or wish to report a potential security vulnerability, our security team is here to help.