Cogito follows a defense-in-depth methodology by building multiple layers of security into the application and infrastructure. We employ several controls including, but not limited to, strong access control using the least access principle; encryption in transmission and at rest; IP filtering; vulnerability management; and system hardening.


Cogito takes steps to securely develop and test against security threats to ensure the safety of our customer data at multiple stages of the development process. We use static (SAST) and dynamic (DAST) code scanning tools to proactively find and remediate vulnerabilities and follow the Open Web Application Security Project (OWASP) guidelines. In addition, Cogito employs third-party security experts to perform extensive penetration tests on our application.



We have an Information Security Management System in place at Cogito which is designed to continually assess and deal with risk. We implement administrative, technical, and physical safeguards to ensure the confidentiality, availability, and integrity of our customer’s data.

Training &

Cogito has a comprehensive privacy and security training program in place for all employees and contractors that may come in contact with customer data to align with best practices and multiple industry requirements, such as HIPAA. Upon hire, all employees must pass the training and sign and acknowledge a number of policies including our Code of Ethics and Acceptable Use policies prior to being granted.



Cogito implements the necessary administrative, technical, and physical controls to not only protect your data based on risk, but also to comply with relevant industry-specific requirements. We have undergone certification for SOC2,
PCI-DSS and HITRUST by a qualified third-party auditing firm. We include all of our application infrastructure and components into the scope of our compliance activities.

Data Privacy

Cogito’s clients can rely on Cogito to assist them in maintaining compliance with data protection laws and regulations, including GDPR and CCPA, as Cogito has implemented legislatively-required procedures in response to these important directives. Our in-house legal team is dedicated to enabling compliance with data privacy regulations, and we have retained a dedicated Data Privacy Officer to help assist in any data privacy-related initiatives. We have created data maps and a comprehensive record of the processing activity, and have established procedures for assisting our clients in response to data subject access rights and requests. We periodically conduct data privacy impact assessments, and also have Data Protection Agreements (DPAs) in place with all vendors who handle personal data. We also ensure the safe transfer of cross-border EU citizen data from the EU and Switzerland to the U.S., by actively maintaining certification with the EU and Swiss Privacy Shield Frameworks.


Ready to Start a Conversation?

The Health Information Trust Alliance, or HITRUST, is a privately held company located in the United States that, in collaboration with healthcare, technology and information security leaders, has established a Common Security Framework (CSF) that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data. The CSF includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards and is often used to demonstrate compliance with HIPAA.

SOC stands for ‘System and Organizational Controls.’ SOC 2 is a control framework designed to measure and report on the controls at a service organization to provide assurance that the controls provide the appropriate level of security and availability of the information stored and processed. A certified AICPA firm must perform the SOC 2 audit and issue the report, providing trust that the report is by a qualified and independent third-party.

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard and set of comprehensive requirements for organizations that handle branded credit cards from the major card schemes. It was developed to support the broad adoption of consistent data security measures on a global basis. Cogito maintains annual certification by a third-party QSA.

Effective as of May 25, 2018, the General Data Protection Regulation (“GDPR”) is a new European privacy regulation that aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. Cogito has implemented appropriate technical and security processes to ensure we are compliant with GDPR obligations. Our privacy team is available to ensure we support our clients with their GDPR compliance requirements. For more information, please view our Privacy Statement or email [email protected].