Security Overview
Plain-language explanation of how Cognifiy protects your data. No marketing fluff.
Upload Security
When you upload images of your work, multiple protections are in place:
File Type Validation
Only image files (JPEG, PNG, etc.) are accepted. File extensions and MIME types are both verified server-side.
Size Limits
Maximum file size is enforced to prevent abuse. Large files are rejected before processing.
EXIF Stripping
Location data, device information, and other metadata embedded in photos is removed immediately upon upload.
Randomized File Names
Uploaded files are renamed to random strings. Original file names are not stored, preventing enumeration attacks.
Private Storage
Files are stored in non-public directories. Direct URL access to uploads is not possible.
Automatic Cleanup
Old uploads are periodically deleted according to our retention policy. We don't keep files longer than necessary.
Account Security
Password Hashing
Passwords are hashed using bcrypt with appropriate cost factor. Plain-text passwords are never stored or logged.
Secure Sessions
Session tokens are cryptographically random, HTTP-only, and expire appropriately. Sessions are invalidated on logout.
CSRF Protection
All state-changing forms include CSRF tokens. Requests without valid tokens are rejected.
Rate Limiting
Login attempts, API calls, and form submissions are rate-limited by IP to prevent brute force and abuse.
AI Content Safety
Output Sanitization
AI-generated content is sanitized before display. Raw HTML from AI responses is never rendered directly.
Confidence Scoring
Low-confidence AI responses are flagged or regenerated. Users are not shown uncertain results as definitive.
Schema Validation
AI outputs are validated against expected schemas. Malformed responses are rejected.
Data Practices
HTTPS Everywhere
All connections use TLS encryption. HTTP requests are redirected to HTTPS.
Minimal Data Collection
We collect only what's needed to provide the service. We don't sell data or use it for unrelated purposes.
No Third-Party Tracking
We don't embed invasive third-party trackers. Analytics are privacy-respecting and aggregated.
Data Deletion
You can request deletion of your data. Account deletion removes personal information within 30 days.
Reporting Issues
If you discover a security vulnerability, please report it responsibly:
- Email: security@cognifiy.com
- Please include steps to reproduce the issue
- Allow reasonable time for us to address the issue before public disclosure
We appreciate responsible disclosure and will acknowledge valid reports.
Related Policies
- Privacy Policy — How we collect, use, and protect your information
- Terms of Service — User responsibilities and service guidelines
- Cookie Policy — How we use cookies and similar technologies