Trust Center
Security Overview
How Cossmic protects the data employers and candidates entrust to us. Written for buyers, security reviewers and anyone doing due diligence.
Encryption
Data is encrypted in transit (TLS 1.2+) and at rest. Sensitive government identifiers such as PAN are additionally encrypted at the application layer with AES-256-GCM and decrypted only for authorised payroll operations.
Tenant isolation
Every record is scoped to its organization. Isolation is enforced both in the application and at the database with row-level security — one organization can never read another's data. This is a structural guarantee, not a filter that a query can forget.
Access control & staff access
Access follows least privilege and role-based permissions. When a Cossmic staff member needs to access customer data to provide support, that access is:
- Logged and attributable — every action is recorded against the individual staff member, in an append-only audit trail.
- Time-boxed — support sessions expire automatically.
- Org-visible — the customer's founders receive a daily digest of any staff access.
- Revocable — access can be cut instantly with a kill-switch.
Data residency
Cossmic's infrastructure runs in India:
| Layer | Provider | Region |
|---|---|---|
| Database | Supabase (AWS ap-south-1, Mumbai) | India |
| Application compute | Vercel (bom1, Mumbai) | India |
| Transactional email | ZeptoMail — Zoho (India region) | India |
| Error monitoring | Sentry — PII-scrubbed, fingerprints only | No personal data leaves region |
The vendors above are listed on our Subprocessors page.
Reliability & continuity
The database is backed up continuously with point-in-time recovery. Infrastructure is managed by providers with their own resilience guarantees, and the platform is monitored for errors and availability.
Incident response
Cossmic maintains an incident-response and breach-notification procedure: detection, assessment, notification of the Data Protection Board and affected individuals where required, and a post-incident review. If you believe you have found a security issue, please use Responsible Disclosure.
Contact
Security questions or reports: security@cossmic.in.