COGNITIVEX · SECURITY

Security & data protection

Your memory is the most personal data you can give an AI. We treat it that way. Encrypted, private by default, and yours: you own it, you control it, you can export or delete it at any time, and we never sell it, share it, or use it to train models other people can reach.

WHERE WE STAND

Built so the memory stays yours.

CognitiveX is a memory system. Every decision you record, every event the LCM stores, every pattern it learns about how you work is sensitive by definition. So our security model starts from a single principle: the memory belongs to the person or team who created it, and nothing in the product is allowed to quietly erode that. The four commitments below are the ones we hold ourselves to, and the rest of this page explains how each is enforced.

Encrypted

Encrypted in transit over TLS and at rest in managed storage, covering your memories and their embeddings.

Private by default

Memory is partitioned per account. Nothing is public unless you make it so, and one account cannot reach another's data.

Yours to keep

You own your memory. Export it in full or delete it for good, at any time, through the same SDK and API you build with.

Never sold or trained on

We do not sell your data, share it for marketing, or use it to train models that other customers can access.

ENCRYPTION & DATA HANDLING

Encrypted on the wire, encrypted at rest.

Traffic between your app and CognitiveX travels over TLS. Whether you call the LCM through the cogx SDK, the HTTP API, or MCP, the connection is encrypted end to end, and we do not accept memory writes over unencrypted transport. Stored data, including your memories and their vector embeddings, is held in encrypted storage at rest on managed infrastructure.

We practice data minimization: we collect what the product needs to work and to bill you, and not more. Secrets and API keys are stored hashed or encrypted, never in plaintext, and credentials are scoped so that a key only reaches the account it belongs to. Authentication uses signed, expiring tokens, and a key you revoke stops working immediately rather than lingering as a silent door into your data.

OWNERSHIP & CONTROL

You can read it, export it, or erase it.

Ownership is not a slogan if you cannot exercise it. The LCM is designed so that the same memory you put in is memory you can get back out, in full, on demand. These controls are part of the product, not a support ticket you have to file.

You own it

  • The memories you create are yours. Using CognitiveX does not transfer ownership of your content to us.
  • We act as a processor of your data on your behalf, not as its owner.

You control it

  • Recall, update, and forget are first-class operations in the SDK, API, and MCP.
  • Forget is a real delete of the memory and its embedding, not a hidden flag that keeps the data around.

You can leave with it

  • Export your memory in a portable form. No lock-in by withholding your own data.
  • Close your account and your data is removed from active systems within a defined window.

WHAT WE WILL NOT DO

Your memory is not our training data.

This is the line that matters most for a memory company, so we want it stated plainly rather than buried. Your content is processed to deliver the service to you. It is not a corpus we mine to build something other customers benefit from.

  • We do not sell your memory or any data derived from it.
  • We do not share your content with third parties for their own marketing or advertising.
  • We do not use your private memory to train models that other customers or the public can access.
  • We do not read your memory except as needed to operate, support, secure, or debug the service for you.

CognitiveX uses third-party model and embedding providers to render language and compute vectors. We select providers and configure their APIs with the intent that your content is used to serve your request, not retained to train their public models. The authoritative statement of how we process data lives in the Privacy Policy, and your agreement with us is set out in the Terms of Service.

ACCESS CONTROLS & ORG ISOLATION

One account cannot see another's memory.

Every read and write is scoped to the authenticated identity that made it. Memory is partitioned per account, so a request can only ever reach the data it is authorized for. For teams, an organization is its own boundary: members work inside the org, seats are managed by the owner, and one organization's memory is isolated from every other.

Internally we follow least privilege. Access to production systems is limited to the people who need it to operate the service, and we keep the surface area small on purpose. We log access to systems that handle customer data so that activity is reviewable rather than invisible. If you build on the platform, you inherit these boundaries automatically: the cogx platform enforces the same per-identity scoping for the SDK, the HTTP API, and MCP.

COMPLIANCE & ROADMAP

Honest about what is shipped and what is ahead.

We would rather tell you exactly where we are than imply a badge we have not earned. The protections described on this page are live in the product today. Formal third-party attestations are a deliberate part of our roadmap, not a current claim.

In place today

  • TLS in transit and encryption at rest.
  • Per-account scoping and organization isolation for teams.
  • Export and true delete of your memory.
  • Least-privilege internal access and access logging.

On the roadmap

  • Working toward recognized security and privacy attestations as we scale.
  • Expanded audit logging and admin controls for organizations.
  • Configurable data-residency and retention options for enterprise.

What we will not claim

  • We do not advertise certifications we have not completed. If a badge is not on this page, assume we have not earned it yet.
  • When an attestation lands, it will be stated here in plain terms, with scope.

RESPONSIBLE DISCLOSURE

Found something? Tell us.

If you believe you have found a security issue in CognitiveX, we want to hear about it before anyone else does. Email security@cognitivx.io with the details and steps to reproduce. We will acknowledge your report, investigate, and keep you informed as we work to resolve it. We ask that you give us a reasonable window to fix the issue before any public disclosure, and that you avoid accessing or altering data that is not yours while testing.

Build on memory you can trust.

The same protections cover the consumer app and the developer platform. Read the docs, plug in the LCM, and keep ownership of every memory you create.

Start building →Read the Privacy Policy →

Explore more

The LCMWhat the living memory actually is, and why it stays yours.Build on itThe cogx SDK, MCP, and HTTP API with the same guarantees.PricingFree, Awakened, Conscious, and pay-as-you-go.Privacy PolicyThe data we process and the rights you hold.Terms of ServiceThe agreement that governs your use of CognitiveX.iCogThe consumer app built on the LCM.