Security

What we protect. How we protect it. What we do not claim.

This page states our current security posture honestly. Confirmed capabilities are listed. Planned capabilities are marked as planned. We do not make claims we cannot back.

Current posture

  • Every Cortex answer cites its source, so you can verify it.
  • Cortex drafts; a human reviews before anything sends.
  • Customer data is isolated at the project boundary.
  • Secrets are encrypted, not stored in plaintext.
  • Actions are logged.
  • EU-hosted data stays in the EU unless you configure an external provider.
  • Planned capabilities are labelled as planned.

Confirmed controls

Security capabilities implemented today.

Confirmed

Data isolation

Cortex resources are scoped by product_instance_id. Canopy Host resources are scoped by authenticated user and team membership.

Confirmed

Transit encryption

All traffic is served over HTTPS. Canopy Host provisions TLS certificates for custom domains.

Confirmed

Provider credential encryption

Cortex provider credentials use AES-GCM envelope encryption before storage. Keys are never returned in API responses.

Confirmed

Sync source credential encryption

External sync source credentials use the same AES-GCM envelope pattern and clear plaintext config after encryption.

Confirmed

Scoped API keys

Cortex keys can be scoped to read, chat, ingest, or full access. Expiry is enforced in the API layer.

Confirmed

Audit logging

Cortex records document ingestion, assistant conversations, API key usage, credential access, admin actions, and GDPR requests.

Confirmed

GDPR erasure and export

Cortex and Canopy Host implement account deletion and JSON export endpoints for GDPR Art. 17 and Art. 20 workflows.

Confirmed

EU data residency

Both products are hosted on Hetzner infrastructure in European data centres.

Data isolation

Your data never crosses project boundaries.

In Cortex, every resource is tagged with a product_instance_id at the database row level. A request authenticated with Project A credentials cannot read Project B documents, conversations, or API keys.

Canopy Host boundary

Projects, environments, builds, variables, and databases are scoped to the authenticated user and their team memberships. Variables and environment values are handled as secrets and are not exposed in build output.

At-rest encryption

Application-layer encryption for sensitive credentials.

Provider credentials and sync source connection credentials are encrypted before storage using AES-GCM envelope encryption. Full database-level encryption at rest is not currently confirmed as a configured feature and remains on the roadmap.

What is encrypted today

  • OpenAI, Anthropic, and other provider API keys.
  • External sync source credentials.
  • Credential ciphertext bound to its record through authenticated data.
  • Provider keys decrypted only at the moment of use, in memory.

GDPR

Erasure and export are implemented.

Cortex and Canopy Host implement GDPR rights for erasure and portability. Deletion and export operations are exposed by product APIs and are recorded for auditability.

Cortex erasureDELETE /dashboard/meImplemented
Cortex exportGET /dashboard/me/exportImplemented
Canopy Host erasureDELETE /account/gdprImplemented
Canopy Host exportGET /account/gdpr/exportImplemented

Model training

Customer data is not used to train shared models.

Your documents, conversations, and training datasets in Cortex are processed solely to power your own assistants within your project boundary.

External model providers

Data sent to your configured provider, such as OpenAI or Anthropic, is subject to that provider's policies. You control which provider key is configured.

Roadmap

Security capabilities we are working on.

These capabilities are planned but not yet implemented. If any are blockers for your organisation, contact us and we will tell you where things stand.

Planned

SOC 2 Type II audit - in planning

Planned

ISO 27001 certification - in planning

Planned

Independent penetration testing - in planning

Planned

SSO / SAML for Enterprise customers - planned Q1 2027

Planned

Full database encryption at rest - on roadmap

Planned

Automated backup verification for Canopy Host - on roadmap

Planned

Security incident response runbook - in preparation

Planned

Formal responsible disclosure programme - in preparation

Responsible disclosure

Report vulnerabilities privately.

If you discover a potential security vulnerability in Cortex or Canopy Host, please report it to us before public disclosure. We acknowledge reports within 5 business days.

Contacts