Security at COGScontrol.
Finance teams trust COGScontrol with cost data and provider credentials. Here is how we protect them.
Data encryption
All data is encrypted in transit over TLS 1.3 and at rest with AES-256. Provider credentials you connect are encrypted with keys managed in AWS KMS; raw credentials are never written to logs or exposed to application users.
Compliance
COGScontrol is SOC 2 Type II compliant and undergoes regular independent security audits. Custom-plan customers can request our latest report, custom data-processing agreements (DPA), and data-residency options (US / EU).
Tenant isolation
Customer data is isolated at the organization level throughout the platform — ingestion, storage, and query paths — ensuring complete separation between customers.
Access control
The platform provides role-based access control (Admin, Manager, Viewer) with granular permissions, and SAML SSO with SCIM provisioning on the Custom plan. Internal access to production systems follows least-privilege principles and is logged.
Audit logging
Administrative and data-access events are captured in audit logs. Custom-plan customers can configure extended audit retention to meet their compliance requirements.
Read-only by design
COGScontrol ingests cost and usage data from your AI and cloud providers using the minimum read-only scopes each provider supports. The platform never needs — and never requests — permission to modify your provider workloads.
Availability
The platform is built on major cloud infrastructure with daily ingestion and reconciliation. Custom plans include SLAs up to 99.99%.
Reporting a vulnerability
If you believe you have found a security issue in the Site or the Service, please email [email protected] with details. We acknowledge reports promptly and appreciate responsible disclosure.