Security

1. Infrastructure overview

cogniaiz is deployed on Microsoft Azure using App Service (web and API), Azure Database for PostgreSQL Flexible Server, Azure Storage, Azure Container Registry, Azure Key Vault, and Azure Application Insights with Log Analytics.

2. Controls currently in place

• HTTPS-only is enforced for deployed web and API applications.
• Database connections require SSL/TLS (`sslmode=require`).
• System-assigned managed identities are enabled on both web and API applications.
• Telemetry and operational logs are sent to Application Insights and Log Analytics.
• A dedicated Key Vault resource is provisioned with Azure RBAC authorization mode enabled.

3. Current limitations and hardening backlog

• PostgreSQL and Key Vault are currently configured with public network access enabled.
• The PostgreSQL firewall includes an `allow-azure-services` rule, which should be tightened with private networking for stricter isolation.
• Azure Container Registry currently has admin-user access enabled.
• Some runtime secrets are injected via app settings during deployment and should be further minimized.

4. Compliance statement

We do not claim SOC 2, ISO 27001, or other third-party certifications on this page. This page describes the controls implemented in the current deployment and areas we are actively improving.