GDPR compliant AI chatbots

Privacy Shield

CogniVis Privacy Shield is a set of tools and features that assure your data is safe and secure, and help you comply with data protection regulations like GDPR.

GDPR compliant AI chatbots

See it in action

Your data will NOT be used for training AI models
We use End to End encryption
Role-based access control & SSO are available
We perform regular OWASP penetration tests
We ensure GDPR compliance

Privacy Shield FAQ

Will my data be used for training AI models?

No, CogniVis does not process or store customer data for AI training. We only use LLM providers that pledge not to train on user inputs or local LLMs that don’t require data sharing.

Where is my data stored, and for how long?

Data is stored in Poland (EU) by default, or at the client’s premises / selected cloud provider if requested. When using LLMs, data may be processed by external providers (e.g., OpenAI) or kept on-premise depending on the chosen model. On the CogniVis side, data is kept as long as the contract lasts and deleted 30 days after termination.

How is my data secured during transfer?

Data is secured using TLS encryption during transfer. For example, when indexing knowledge, data is fetched via TLS-protected APIs, and when sending prompts to LLMs, communication is also encrypted via TLS.

What security testing is in place?

Our software undergoes penetration testing following OWASP standards after each deployment, to identify and mitigate security risks.

How are APIs secured against unauthorized access?

APIs are secured using TLS encryption for every endpoint, and additionall token-based authentication layer for endpoints that require it, to prevent unauthorized access and misuse.

Is there a backup and data recovery plan?

CogniVis offers regular backups in some plans, ensuring redundant, secure storage & recovery.

Does infrastructure have security certifications?

CogniVis can be deployed on OVH or AWS, both of which hold SOC 2 and ISO 27001 certifications. Standard deployments may not include certified infrastructure, but Elevate plan offers hosting on certified providers for enhanced security.

Do you support SSO?

Yes, SSO integration is supported in the Elevate plan. SSO enhances security by centralizing authentication, reducing password-related risks, and enabling better access control through existing identity management systems (i.e. Microsoft Azure AD).

What access controls are there in the platform?

CogniVis uses role-based access control (RBAC) with User Groups for fine-grained permissions. A detailed list of available User Group permissions can be found here. When it comes to specific 3rd party integrations, we define access levels for each Connector during implementation.

Can CogniVis Team see the questions I ask?

Data encryption allows us to see only the question count and token usage. We don’t see the text of the questions, the answers nor the sources used for generation. During initial deployment, we recommend disable encryption for monitoring AI behavior. That way we can review initial queries & help you optimize AI performance.

How does CogniVis handle data retention and deletion?

CogniVis follows GDPR-compliant data retention and deletion policies:

  • Transient data (e.g., cache, in-memory operations) is not stored beyond its necessary usage and is deleted immediately after processing.
  • Persistent data is retained only as long as required for providing services and fulfilling legal obligations.
  • Data retention periods are regularly reviewed to prevent unnecessary storage.
  • Customers have full control over their data and can request erasure at any time under GDPR Article 17.

Upon deletion requests, CogniVis ensures secure, irreversible data removal, with a maximum retention period of 30 days post-contract termination.

What is the incident response process for a data breach?

CogniVis follows a structured incident response process to minimize impact and ensure transparency:

  • Detection & Assessment: Continuous monitoring detects threats. Critical incidents are analyzed within 4 hours of detection.
  • Containment & Mitigation: Affected systems are isolated, API keys rotated, and password resets enforced if necessary.
  • Investigation & Analysis: Security experts assess the breach’s cause and implement fixes to prevent recurrence.
  • Customer Notification: If data is impacted, affected users are notified via email as soon as possible, detailing the breach, affected data, and recommended actions.
  • Personal Data: If personal data is involved, authorities are notified within 72 hours.
  • Remediation & Prevention: Security policies are updated, and enhanced measures are implemented to prevent future incidents.