Trust Center
How Cothon protects your procurement data: the controls we enforce today, the compliance work in progress, and the documentation your security team needs.
Last updated: May 5, 2026
What's protecting your data today
Every control below is implemented in code and enforced in production. Not roadmap items, not aspirations.
Multi-factor authentication
TOTP-based MFA with self-enrollment, multiple factors per user, session step-up challenges, and organization-level enforcement.
Evidence: NIST 800-63B AAL2
Enterprise SSO (SAML / OIDC)
SAML 2.0 and OIDC single sign-on. Domain ownership is verified manually by our operations team before activation — a deliberate anti-impersonation control.
Row-Level Security on every tenant table
Data isolation is enforced at the database layer, not just in application code. Every table containing customer data has organization-scoped security policies. Even if an application-layer bug allowed an invalid query, the database itself rejects it.
Append-only audit log
Security-relevant events (password changes, MFA lifecycle, member role changes, data exports, account deletions, SSO lifecycle) are captured in a tamper-evident log with database-level triggers that block modification — even from privileged roles.
Encryption in transit and at rest
TLS 1.2 or higher for all network traffic. AES-256 encryption at rest managed by our database provider. Integration credentials receive additional application-layer encryption.
PIPEDA compliance
Full self-assessed alignment with all ten PIPEDA principles. Consent management, data export, account deletion, and breach notification tracking are built into the platform.
Admin audit log viewer
Organization administrators can query and export their audit log through Settings, with filters by category, event type, actor, and date range. CSV export available for compliance reporting.
Automated vulnerability scanning
Dependency scanning, static application security testing, and secret scanning run automatically on every code change. Findings are triaged by severity with defined patch SLAs.
What we're building
Honest status on items we don't yet have. No promised dates — just transparent direction.
SOC 2 Type II attestation
We do not currently hold a SOC 2 Type I or Type II report. Our internal controls are designed to align with SOC 2 Common Criteria CC6 and CC7, and our control-to-framework mapping document describes the alignment in detail.
ISO 27001 certification
No current certification. Our controls are designed to be compatible with ISO 27001 Annex A and are mapped in the control framework document.
Third-party penetration test
We have not yet commissioned an independent penetration test. Automated dependency scanning (Dependabot, pip-audit, npm audit) and static analysis (CodeQL) run on every change as compensating controls.
Public status page with uptime history
No public status page yet. Uptime is monitored internally but we do not publish historical SLA figures. Incidents are communicated directly to affected customers.
Policies and documentation
Formal policy documents. Contact us for the most recent version or for a countersigned PDF.
The umbrella policy governing all of Cothon's security practices.
Retention windows, soft-delete, cancellation timeline, backup expiry.
Detection, containment, investigation, remediation, and PIPEDA notification.
Patch SLAs by severity, scanning cadence, responsible disclosure.
How customer data flows through AI features. Answers: “Is our data used to train your AI models?” (No.)
What customers and users may and may not do with the platform.
How Cothon's controls map to SOC 2 Common Criteria, ISO 27001 Annex A, and NIST 800-53/800-63B.
How we categorize data by sensitivity and the handling rules for each tier.
Level 0 context, Level 1 system overview, trust boundaries, and classification overlay.
Subprocessors
Third-party service providers that process customer data on our behalf. We vet each provider's security posture before onboarding.
| Vendor | Purpose | Data access | Their certifications |
|---|---|---|---|
| Supabase | Database, authentication, storage | All customer data | SOC 2 Type II, ISO 27001 |
| Vercel | Frontend hosting | No persistent data | SOC 2 Type II, ISO 27001 |
| Railway | Backend API hosting | Data in transit | Verify current status |
| Google (Gemini) | AI analysis (optional) | Document text; not retained for training under paid API terms | SOC 2 Type II, ISO 27001 |
| Sentry | Error tracking | Stack traces with PII scrubbing | SOC 2 Type II, ISO 27001 |
Customers are notified before new subprocessors are added to this list. See the AI Data Usage Policy for detail on how document content is handled by our AI provider.
Frequently asked questions
Do you have a SOC 2 Type II report?
No. We do not currently hold a SOC 2 Type I or Type II report. SOC 2 readiness is on our compliance roadmap but we are not in an active audit cycle. If a current SOC 2 Type II is a hard prerequisite for your procurement process, please tell us early in the evaluation so we can set realistic expectations.
Where is our data stored?
Cothon is deployed on Supabase and Railway, which offer multiple cloud regions. The specific region for your tenant is a deployment-time decision. During onboarding we can confirm the region in writing with a dated screenshot of the Supabase project settings, and we can prepare a one-page deployment memo documenting the full data flow for your records. Contact us at management@mirconsulting.ca to request one.
Is our data used to train your AI models?
No. Cothon does not train AI models. Our AI provider (Google Gemini) does not train its models on customer data submitted through the paid API under the terms we operate under. You can also disable AI features entirely at Settings → AI Features if your organization prefers to keep document content inside your deployment region.
Can you enforce multi-factor authentication for our team?
Yes. Organization owners and administrators can require MFA for all members through Settings → Organization Security. You can also configure a grace period (0–90 days) so existing members have time to enroll before enforcement kicks in. Enrollment status is visible in a per-member compliance table.
Do you support SAML or OIDC single sign-on?
Yes, for enterprise plans. SAML 2.0 and OIDC are supported via Supabase Auth. Domain ownership is verified manually by our operations team before we activate the mapping between your email domain and your IdP — this is a deliberate anti-impersonation control. Setup requires coordination between your IT team and ours.
What happens to our data if we cancel?
Active database records are deleted 90 days after cancellation. Audit log entries are anonymized but preserved for 730 days for tamper-evidence. Encrypted Supabase backups may retain data for a provider-managed window after primary deletion. See the Data Retention and Destruction Policy for full detail.
Can I get a completed security questionnaire (CAIQ, SIG, etc.)?
Yes. Contact us with your questionnaire and we will complete the applicable sections, with honest responses about what we have and what we do not have. Turnaround is typically a few business days depending on questionnaire length.
Security & compliance questions
For security questionnaires, compliance documentation, NDA-gated documents, or detailed control walkthroughs, contact us at the address below.
management@mirconsulting.ca