Trust Center

Security Overview

How Cossmic protects the data employers and candidates entrust to us. Written for buyers, security reviewers and anyone doing due diligence.

Encryption

Data is encrypted in transit (TLS 1.2+) and at rest. Sensitive government identifiers such as PAN are additionally encrypted at the application layer with AES-256-GCM and decrypted only for authorised payroll operations.

Tenant isolation

Every record is scoped to its organization. Isolation is enforced both in the application and at the database with row-level security — one organization can never read another's data. This is a structural guarantee, not a filter that a query can forget.

Access control & staff access

Access follows least privilege and role-based permissions. When a Cossmic staff member needs to access customer data to provide support, that access is:

  • Logged and attributable — every action is recorded against the individual staff member, in an append-only audit trail.
  • Time-boxed — support sessions expire automatically.
  • Org-visible — the customer's founders receive a daily digest of any staff access.
  • Revocable — access can be cut instantly with a kill-switch.

Data residency

Cossmic's infrastructure runs in India:

LayerProviderRegion
DatabaseSupabase (AWS ap-south-1, Mumbai)India
Application computeVercel (bom1, Mumbai)India
Transactional emailZeptoMail — Zoho (India region)India
Error monitoringSentry — PII-scrubbed, fingerprints onlyNo personal data leaves region

The vendors above are listed on our Subprocessors page.

Reliability & continuity

The database is backed up continuously with point-in-time recovery. Infrastructure is managed by providers with their own resilience guarantees, and the platform is monitored for errors and availability.

Incident response

Cossmic maintains an incident-response and breach-notification procedure: detection, assessment, notification of the Data Protection Board and affected individuals where required, and a post-incident review. If you believe you have found a security issue, please use Responsible Disclosure.

Contact

Security questions or reports: security@cossmic.in.