Cognita's policies, risk register, and audit trail live on the same hash-chained, Merkle-anchored ledger we sell. Formal third-party certifications are on our roadmap — we are not yet certified, and we won't claim otherwise. What's below is what is true today, and how to verify it yourself.
The percentages below are computed live from our control crosswalk — the share of one framework's requirements that evidence collected for another already reaches. They describe evidence REUSE for readiness preparation; certificates and SOC 2 reports are issued only by independent third parties.
Method: direct control-to-control mappings only (no transitive credit, management-system clauses excluded from scoring). The same crosswalk powers the readiness engine inside the product.
Illustrative examples of the control events the platform records on its hash-chained ledger — not a live feed. Ask us for a walkthrough of the real one.
Audit evidence is hash-chained and anchored into write-once storage (S3 Object Lock, compliance mode, ~7 years) — that immutability is the product. We reconcile this with GDPR erasure rights by design: personal data is redacted before it ever lands on the chain (automated PII redaction at the write boundary), so chained records describe events, not people. On a verified erasure request we (1) delete or de-identify personal data held in conventional storage, and (2) append a tombstone record to the ledger marking the subject's content as erased — the chain stays verifiable, the person's data is gone from every system that ever stored it in readable form.
Erasure requests: [email protected]. This describes our engineering posture; it is documentation, not legal advice.
Reference architecture, sub-processor list, DPA, our LLM data-handling posture, and a walkthrough of the ledger we run on ourselves. We'll tell you plainly what is and isn't certified.