Trust Center
How Cothon protects your procurement data: the controls we enforce today, the compliance work in progress, and the documentation your security team needs.
Last updated: April 8, 2026
What's protecting your data today
Every control below is implemented in code and enforced in production. Not roadmap items, not aspirations.
Multi-factor authentication
TOTP-based MFA with self-enrollment, multiple factors per user, session step-up challenges, and organization-level enforcement. Built on Supabase Auth with custom session gating.
Evidence: NIST 800-63B AAL2
Enterprise SSO (SAML / OIDC)
SAML 2.0 and OIDC single sign-on via Supabase. Domain ownership is verified manually by our operations team before a customer's employees can use SSO to reach their organization.
Evidence: Supabase Auth SSO
Row-Level Security on every tenant table
Data isolation is enforced at the PostgreSQL layer, not just in application code. Every table containing customer data has org-scoped RLS policies. Even if an API-layer bug allowed an invalid query, the database itself rejects it.
Evidence: 32+ SQL migration files
Append-only audit log
Security-relevant events (password changes, MFA lifecycle, member role changes, data exports, account deletions, SSO lifecycle) are captured in a database table with triggers that block UPDATE and DELETE — even from the service role.
Evidence: audit_events table + triggers
Encryption in transit and at rest
TLS 1.2+ for all network traffic. AES-256 at rest via Supabase. OAuth integration tokens are additionally encrypted at the application layer with Fernet before storage.
Evidence: Supabase + Fernet
PIPEDA compliance
Full self-assessed alignment with all ten PIPEDA principles. Consent management, data export, account deletion, and breach notification tracking are built into the platform.
Evidence: routes/privacy.py + user_consents table
Admin audit log viewer
Organization administrators can query and export their org's audit log through Settings → Audit Log, including filters by category, event type, actor, status, and date range. CSV export for compliance reporting.
Evidence: AuditLogPanel.tsx
Error and performance monitoring
Sentry is integrated across backend and frontend for error tracking with PII scrubbing enabled. Breadcrumb data supports incident response investigation.
Evidence: @sentry/nextjs + sentry_sdk
What we're building
Honest status on items we don't yet have. No promised dates — just transparent direction.
SOC 2 Type II attestation
We do not currently hold a SOC 2 Type I or Type II report. Our internal controls are designed to align with SOC 2 Common Criteria CC6 and CC7, and our control-to-framework mapping document describes the alignment in detail.
ISO 27001 certification
No current certification. Our controls are designed to be compatible with ISO 27001 Annex A and are mapped in the control framework document.
Third-party penetration test
We have not yet commissioned an independent penetration test. Automated dependency scanning (Dependabot, pip-audit, npm audit) and static analysis (CodeQL) run on every change as compensating controls.
Public status page with uptime history
No public status page yet. Uptime is monitored internally but we do not publish historical SLA figures. Incidents are communicated directly to affected customers.
Policies and documentation
Formal policy documents. Marked DRAFT pending legal review where applicable. Contact us for the most recent version of any document not linked below.
The umbrella policy governing all of Cothon's security practices.
Retention windows, soft-delete, cancellation timeline, backup expiry.
Detection, containment, investigation, remediation, and PIPEDA notification.
Patch SLAs by severity, scanning cadence, responsible disclosure.
How customer data flows through AI features. Answers: “Is our data used to train your AI models?” (No.)
What customers and users may and may not do with the platform.
How Cothon's controls map to SOC 2 Common Criteria, ISO 27001 Annex A, and NIST 800-53/800-63B.
How we categorize data by sensitivity and the handling rules for each tier.
Level 0 context, Level 1 system overview, authentication and document analysis sequence diagrams, trust boundaries, classification overlay.
Policies marked DRAFT are currently under legal review. Contact us for the most recent version or for a countersigned PDF.
Subprocessors
Third-party service providers that process customer data on our behalf. We vet each provider's security posture before onboarding.
| Vendor | Purpose | Data access | Their certifications |
|---|---|---|---|
| Supabase | Database, authentication, storage | All customer data | SOC 2 Type II, ISO 27001 |
| Vercel | Frontend hosting | No persistent data | SOC 2 Type II, ISO 27001 |
| Railway | Backend API hosting | Data in transit | Verify current status |
| OpenAI | AI analysis (optional) | Document text, not retained for training | SOC 2 Type II |
| Google (Gemini) | AI analysis (optional) | Document text, not retained for training | SOC 2 Type II, ISO 27001 |
| Sentry | Error tracking | Stack traces with PII scrubbing | SOC 2 Type II, ISO 27001 |
Customers are notified before new subprocessors are added to this list. See the AI Data Usage Policy for detail on the optional AI providers.
Frequently asked questions
Do you have a SOC 2 Type II report?
No. We do not currently hold a SOC 2 Type I or Type II report. SOC 2 readiness is on our compliance roadmap but we are not in an active audit cycle. If a current SOC 2 Type II is a hard prerequisite for your procurement process, please tell us early in the evaluation so we can set realistic expectations.
Where is our data stored?
Cothon is deployed on Supabase and Railway, which offer multiple cloud regions. The specific region for your tenant is a deployment-time decision. During onboarding we can confirm the region in writing with a dated screenshot of the Supabase project settings, and we can prepare a one-page deployment memo documenting the full data flow for your records. Contact us at management@mirconsulting.ca to request one.
Is our data used to train your AI models?
No. Cothon does not train AI models. The third-party AI providers we use (OpenAI and Google Gemini) do not train their models on customer data submitted through their APIs under the API terms we operate under. You can also disable AI features entirely at Settings → AI Features if your organization prefers to keep document content inside your deployment region.
Can you enforce multi-factor authentication for our team?
Yes. Organization owners and administrators can require MFA for all members through Settings → Organization Security. You can also configure a grace period (0–90 days) so existing members have time to enroll before enforcement kicks in. Enrollment status is visible in a per-member compliance table.
Do you support SAML or OIDC single sign-on?
Yes, for enterprise plans. SAML 2.0 and OIDC are supported via Supabase Auth. Domain ownership is verified manually by our operations team before we activate the mapping between your email domain and your IdP — this is a deliberate anti-impersonation control. Setup requires coordination between your IT team and ours.
What happens to our data if we cancel?
Active database records are deleted 90 days after cancellation. Audit log entries are anonymized but preserved for 730 days for tamper-evidence. Encrypted Supabase backups may retain data for a provider-managed window after primary deletion. See the Data Retention and Destruction Policy for full detail.
Can I get a completed security questionnaire (CAIQ, SIG, etc.)?
Yes. Contact us with your questionnaire and we will complete the applicable sections, with honest responses about what we have and what we do not have. Turnaround is typically a few business days depending on questionnaire length.
Security & compliance questions
For security questionnaires, compliance documentation, NDA-gated documents, or detailed control walkthroughs, contact us at the address below.
management@mirconsulting.ca