Skip to main content
CognitaGRC
PlatformPricingDocsTrust
Sign inOpen product →
Cognita

The intelligence layer for AI compliance. Built for the post-EU-AI-Act world.

ISO 42001EU AI ActNIST AI RMF

Product

PricingTrust CenterDocumentation

Frameworks

ISO/IEC 42001EU AI ActNIST AI RMF

Resources

Product demoDocsTrustSecurity

Company

SecurityPrivacyContact
© 2026 Cognita, Inc. · cognitagrc.ioChecking status…
TRUST CENTER · COGNITA

Cognita GRC

The same governance tooling we sell — applied to ourselves, stated honestly. Where a claim maps to a primitive, you can verify it in the reference architecture or re-derive it with the public Merkle verifier. Where it doesn't yet — like formal certifications — we say "roadmap", not "active".

Last updated 2026-06-06 · powered by Cognita GRC
Certification roadmap & practices
SOC 2 Type II
roadmap
Formal SOC 2 Type II certification is on our roadmap. We are not yet certified; no report exists.
ISO/IEC 27001:2022
roadmap
Formal ISO/IEC 27001 certification is on our roadmap. We are not yet certified.
GDPR alignment
practices
GDPR-aligned practices: PII redaction before any ledger write, EU data-residency pools, DPA available on request.
ISO/IEC 42001:2023
practices
We manage our own AIMS on the Cognita platform — self-managed, not yet registrar-audited.
How we govern ourselves

Our own policies, risk register, attestations, and operational events are managed on the Cognita platform — every state-changing action lands on the hash-chained audit ledger and is Merkle-anchored to S3 Object Lock (COMPLIANCE mode). We don't publish self-reported posture numbers here; ask us for a live walkthrough of the real ledger instead — [email protected].

Sub-processors
NAMEPURPOSEREGIONDPA
Amazon Web ServicesPrimary infrastructure (us-east-1, eu-west-1)US + EUsigned
ClerkIdentity provider (signup, session)USsigned
WorkOSEnterprise SSO + SCIM (Federation+ tier)USsigned
StripeBillingUS + EUsigned
ResendTransactional emailUSsigned
SentryError monitoring (US + EU regions)US + EUsigned
PostHogProduct analytics (EU host)EUsigned
How you can verify this
  • Reference architecture — 8 primitives, each named to its file in the open-source layer
  • Public Merkle verifier — POST your bundle, recompute the root, no Cognita auth required
  • 15-min audit-grade demo — three artifacts in JSON form, recomputed offline
  • Counter-signature framing — IAF-MLA accreditation = portable across Certification Bodies
  • Questions about our posture or the certification roadmap — [email protected]. We'll tell you plainly what is and isn't certified.
See vCAIR pricing →
Cognita GRC · Trust Center · Cognita GRC