Security built into the architecture
COIGAP is designed so compliance decisions are auditable, repeatable, and isolated — with your data protected at every layer.
Encryption in transit & at rest
All data is transmitted over TLS and encrypted at rest by our managed Postgres infrastructure (Supabase).
Secure authentication
Authentication is handled by Supabase Auth with hashed credentials and Google OAuth. Sessions are token-based and revocable.
Deterministic decisions
AI extracts data, but a deterministic rules engine makes every compliance decision — no black-box AI deciding outcomes. Same input always produces the same result.
Full audit trail
Every analysis, status change, and remediation is recorded in an immutable audit log for traceability and review.
Organization data isolation
Every record is scoped to your organization. Queries are filtered by organization on every request so data never crosses tenants.
Explainable by design
Every finding carries a traceable reason and confidence indicator, so decisions can always be reviewed and justified.
Compliance posture
COIGAP is built on infrastructure and practices aligned with industry security frameworks. Our managed database and authentication providers maintain their own SOC 2 and ISO 27001 certifications, and COIGAP follows SOC 2-ready operational practices including audit logging, least-privilege access, and tenant isolation.
Formal SOC 2 Type II and ISO 27001 certification for COIGAP itself are on our roadmap. For current certification details or a security questionnaire, please contact us.
Have a security question?
We're happy to walk through our architecture or complete a security questionnaire.