Security
Your data is yours. We act like it.
COGNITEX Bridge is built on a security-first stack — every JobNimbus credential lives encrypted in a Postgres vault, every query is RLS-scoped to your tenant, every AI invocation is audited.
Tenant isolation via RLS
Every table that holds customer data has Row-Level Security policies. A query running for tenant A literally cannot return rows from tenant B — Postgres rejects them at the planner level, before the network hop.
Encrypted credential vault
Your JobNimbus API key is encrypted with pgcrypto using AES-256 before it touches a row. The master key lives only in environment variables on the server — never in the database, never in logs, never in the AI prompt.
Bearer-token MCP access
External AI clients (Claude Desktop, custom agents) connect through bearer-token-protected MCP endpoints. Tokens are argon2-hashed at rest. Revocation is one SQL row.
Forensic audit log
Every AI tool invocation is logged with: tool name, redacted args, tokens in/out, latency, request id, result status. Filterable per tenant, per user, per day. PII never appears in the audit.
Practical guarantees
- Two separate Supabase Cloud projects: one for development, one for production. Customer data never crosses environments.
- Migrations are forward-only and reach production only via GitHub Actions with manual approval. No one — not even the owner — applies SQL to prod from a laptop.
- Webhooks from JobNimbus and PayPal are signature-verified before any side effect. Replays are deduplicated by event id.
- PII (email, phone) is redacted from AI tool args before logging. The audit trail is forensic-grade without leaking customer contact info.
- Backups are continuous via Supabase point-in-time recovery (7-day window on dev, 30-day window on prod plans).
- TLS 1.2+ on every endpoint. HSTS on the production domain and on cognitex-bridge-staging.fly.dev.
Compliance roadmap
We build to the practices below today, with formal certification scheduled as the customer base grows. Status as of this page:
| Standard | Status | Target |
|---|---|---|
| GDPR · CCPA | Practices in place | Q4 2026 |
| SOC 2 Type I | Controls drafted | Q2 2027 |
| SOC 2 Type II | — | Q4 2027 |
| HIPAA (BAA) | On request (Enterprise) | On contract |
Disclosure & contact
If you find a security issue, email security@cognitex.app. We acknowledge within 24 hours and patch critical issues within 72 hours.