Security & Trust
Security & Trust Center
How We Protect Your Data
At Cognlay, security isn't an afterthought—it's built into every layer of our system. Here's exactly how we keep your outbound campaigns, lead data, and email credentials safe.
Last Updated: February 16, 2026
Enterprise-Grade Encryption
In transit: TLS 1.3. At rest: AES-256 for stored data (lead lists, drafts, conversation history, credentials). OAuth tokens are encrypted and we never see your password.
Secure OAuth Authentication
Google authentication happens directly with Google. Cognlay receives a secure access token (not your password). Tokens are encrypted and you can revoke access instantly.
Minimal Data Access
We request only the Gmail API permissions needed for outbound automation and reply tracking. We do not request Drive, Calendar, or permission to delete emails.
SOC 2-Level Security Practices
RBAC, audit logging, MFA for production access, quarterly reviews, and dependency scanning. We are working toward formal SOC 2 Type II certification as we scale.
Isolated Data Architecture
Logical isolation per customer. AI processing happens in isolated contexts. Rate limiting and monthly caps help prevent abuse and protect sender reputation.
Transparent Incident Response
Automated monitoring for anomalies. If we confirm a breach, we notify affected users within 72 hours with details and remediation steps.
Gmail API scopes we use
We only request the permissions we actually need.
gmail.send
Send emails on your behalf
gmail.readonly
Read emails to detect replies and maintain thread context
gmail.modify
Update labels for reply tracking
We do not request access to your entire Google account, permission to delete emails, or access to Drive, Calendar, or other services.
Common security questions
Only authorized Cognlay personnel who need access to provide support or maintain the system. All access is logged and auditable.
Google Cloud Platform infrastructure (primary region: [specify your GCP region]). Data does not leave this region without your explicit consent.
Technically yes (read access is required to detect replies and maintain thread context). Access is limited to threads Cognlay created. No human at Cognlay reads your emails unless you explicitly request support. All access is logged and auditable.
We stop accessing new Gmail data immediately. Access tokens are deleted within 30 days. Cached email data (used for thread context) is deleted within 90 days. Your lead data and analytics remain available.
No. Your email content is sent to the Anthropic Claude API for real-time generation. We do not use your content to train general-purpose AI models.
Yes. You can request data export, correction, or deletion at any time by emailing developer@cognlay.com.
If we detect unusual activity (sudden sending spikes, bounce rate anomalies, or failed logins), we automatically pause sequences and alert you. Account access may be temporarily locked until you verify identity.
Security roadmap
We're actively working on:
SOC 2 Type II certification (target: Q3 2026)
Annual penetration testing by third-party security firms
Bug bounty program for responsible disclosure
SAML/SSO support for enterprise customers
Report a security issue
Found a vulnerability? Please report it responsibly.
Email: developer@cognlay.com
Response time: Within 24 hours for critical issues
We do not currently offer a bug bounty, but we publicly credit security researchers who report valid issues (with permission).
Questions?
Security concerns? Email support@cognlay.com or developer@cognlay.com. We respond to all security inquiries within 24 hours.