How Your Data Flows Through Cognistase

We treat your child's developmental history as classified clinical data. Here's exactly how it moves through our system.

Data input

You enter data through the Cognistase app. All input is validated and cleaned before processing. We accept document uploads (PDF, images of reports), manual questionnaire responses, and structured assessment data from professionals. Uploaded documents are encrypted immediately and stored in an isolated secure vault.

De-identification

Before any data reaches the AI, personal identifying information is removed. Names, dates of birth, addresses, and other identifiers are stripped from the data the AI works with. The AI processes clinical data points, not identifiable people. This isn't a toggle you can switch off. It's built into the processing pipeline.

AI processing

All AI processing happens on EU servers that we control. AI models run on our own infrastructure, not through external third-party cloud APIs. Your child's data is never sent to a third-party AI service. The AI processes de-identified clinical data and produces structured outputs: extracted test scores, document drafts, task plans.

Clinical calculation

After the AI extracts clinical data, dedicated calculation software computes standard scores, percentiles, and indices. This step is completely separate from the AI layer. It uses validated clinical formulas. The math is auditable and reproducible.

Storage

All data is stored encrypted (AES-256) on our server in Germany. Backups are also encrypted and stored in the same country. There is no cross-border data transfer. Each record is encrypted with its own key, which means we can do cryptographic erasure: when you delete your data, the encryption key is destroyed and the data becomes permanently unreadable.

Access control

Strict role-based access control limits who can see what. Parents see their own family's data. Teachers see only the specific information shared through Teacher Bridge. Professionals see client data within their practice scope. Every access event is logged and auditable.

Data retention

You control your data's lifecycle. You can export your data at any time in a standard format. You can request deletion at any time, and we perform cryptographic erasure: the encryption key for your records is destroyed, making the data permanently unrecoverable. We don't keep backup copies after deletion is confirmed.

Encryption starts in your browser

The moment you type something, whether it's a teacher's observation or a test result, it's encrypted before it ever leaves your browser. We use TLS 1.3 for data in transit, so your inputs can't be intercepted.

Everything stays in the EU

Once your data reaches our servers, it stays exclusively on our privately managed, EU-based infrastructure. We don't use US-based public cloud APIs for processing sensitive clinical data. Full GDPR compliance, no shortcuts.

Not a public AI

We don't send your child's data to public AI services. To write reports, we use a strictly contained internal system that only pulls from verified clinical guidelines. Your data is processed in memory and never enters any training loop.