Security, privacy & trust at Cortex
This page is maintained by Cortex to answer common security and privacy questions about our platform. It describes our current controls — not an independent certification.
Last updated · June 22, 2026
How we protect your data
Our security posture
Encryption in transit & at rest
All traffic is served over TLS 1.2+. Data at rest is encrypted by our managed cloud database provider.
Role-based access control
A dedicated user_roles table backs admin/user permissions. Privileged operations require a verified admin role and are recorded in our credit transaction log.
Row-level security everywhere
Every customer-data table — profiles, projects, analyses, workspaces, reports — has row-level security policies scoped to the signed-in user.
Least-privilege service keys
Service-role credentials never reach the browser. Server functions run with the lowest privilege needed for the action; secrets are isolated server-side.
Where we stand today
Compliance
GDPR In place
Compliant. DPA available on request — email privacy@cortex.app.
CCPA In place
Compliant. Californian users can exercise access & deletion rights from in-app settings or by email.
SOC 2 Type II On roadmap
On roadmap. We will share scoping and timeline once an auditor is engaged.
ISO 27001 On roadmap
On roadmap. Tracked alongside SOC 2.
We don't display badges we haven't earned. Any change to this list will be reflected here and dated above.
What we collect, what we don't
Data handling
What we collect
Account info (email, name, avatar), URLs you submit for audit, audit results & reports, billing metadata, basic product usage telemetry.
What we don't
We don't scrape gated/authenticated pages. We don't sell personal data. We don't keep PII from audited pages beyond your report retention window.
Retention
Audit history is kept for 12 months on paid plans and 30 days on the free plan. After that, results are purged from primary storage. Account deletion removes profile, workspaces, projects, audits, and shared report tokens.
Sub-processors
We use a small set of trusted infrastructure providers to deliver the service.
| Provider | Purpose | Data region |
|---|---|---|
| Supabase | Database, authentication, storage | EU / US |
| Lovable AI Gateway | AI model inference for audits & rewrites | Routed |
| Google PageSpeed Insights | Lighthouse performance measurement | US |
| Stripe (when enabled) | Billing & subscription management | Global |
| Resend (when enabled) | Transactional email | EU / US |
You're in control
Your rights & data deletion
Found a vulnerability?
Responsible disclosure
Email security@cortex.app with reproduction steps. We commit to acknowledging reports within 3 business days and following a 90-day coordinated disclosure window. Please don't publish details before we confirm a fix.
In scope: our web app, API, Chrome extension, and infrastructure we operate. Out of scope: third-party services listed above (report to them directly), social-engineering, DoS.
If something goes wrong
Incident response
If we confirm a security incident affecting your data, we will notify affected customers within 72 hours with what happened, what data was involved, and the mitigation steps you should take.
What's next for trust at Cortex
On the roadmap
SOC 2 Type II
Scoping audit partner; targeting full report next.
ISO 27001
Tracked alongside SOC 2 program.
EU data residency toggle
Workspace-level pin for data location.
HIPAA review
Evaluating for healthcare CRO customers.
Cortex Campus / Student
University portal & verified student access.
Public status page
Live uptime + incident history.
Need a DPA, security review, or vendor questionnaire?
Our team responds within 1 business day. Enterprise and agency buyers — we'll walk you through our controls live.