Privacy & Security

How we protect your child's data

When you trust us with your child's developmental data, we take that responsibility seriously. All data is processed and stored on servers within the European Union, on infrastructure we control. We explicitly do not use public cloud services for any data containing personal information. Your child's data is never sold, never shared, and never used to train third-party AI models.

Data classification

We classify data into strict categories. Developmental scores, assessment results, and health-related information receive the highest protection level. Account data like email addresses is stored separately from developmental data. We never store data we do not need, there is no browsing history, no behavioral tracking, no social media integration.

Encryption architecture

All data is encrypted in transit using TLS 1.3 and at rest using AES-256-GCM. Passwords are hashed with bcrypt. Encryption keys are managed through a dedicated key management system with automatic rotation. Database connections are encrypted end-to-end. Backups are encrypted with separate keys stored in a hardware security module.

Access control

We implement a zero-trust security model. Role-based access control (RBAC) limits who can access what. Row-level security (RLS) ensures users can only see their own data, even if an application vulnerability were exploited, data leakage across accounts is architecturally prevented. Only authorized personnel have access to production systems, and every access event is logged and auditable.

Infrastructure security

Our infrastructure runs on private cloud within the European Union. No personal data leaves the EU. We do not use public cloud providers for storing or processing personal information. Network segmentation isolates sensitive services. Web application firewalls filter malicious traffic. DDoS protection is active at all times.

Incident response

We maintain a documented incident response plan with defined roles, escalation paths, and communication procedures. In the event of a data breach, we will notify affected users and the relevant supervisory authority within the legally required timeframe, typically 72 hours under GDPR.

Penetration testing

We conduct regular penetration testing by independent security firms. Findings are remediated before each release. We do not wait for annual audits, continuous security testing is part of our development process.

Vulnerability disclosure

If you discover a security vulnerability, we want to hear about it. We operate a responsible disclosure policy and will not take legal action against researchers who report vulnerabilities in good faith. Contact security@cognistase.com.

Zero third-party data sharing

Cognistase does not share data with third parties. No advertising networks. No analytics providers. No data brokers. Your child's developmental data is used exclusively to provide the service you signed up for.