Security

Last updated: April 11, 2026

Cosma takes the security of your advertising data seriously. This page outlines our security practices, architecture, and commitments.

1. Authentication & Access Control

User authentication is handled by Clerk, an enterprise-grade identity platform. We never store passwords. Within Cosma, role-based access controls (Admin, Editor, Viewer) restrict what each team member can see and modify. Client-level assignments ensure editors and viewers only access data for their assigned accounts.

2. Encryption

All data in transit is encrypted using TLS 1.2+. OAuth refresh tokens are encrypted at rest using Fernet (AES-128-CBC with HMAC-SHA256). BigQuery data uses Google-managed AES-256 encryption at rest.

3. Infrastructure

Our application server runs on a dedicated VPS with SSH key-only access. nginx handles SSL termination via Let's Encrypt (auto-renewed). systemd isolates the API server from background task workers.

4. Data Isolation

Each customer's advertising data is stored in isolated BigQuery datasets (one per client per platform). Supabase PostgreSQL enforces Row Level Security (RLS) policies that prevent cross-tenant data access at the database level. API endpoints validate organization ownership on every request.

5. Application Security

All database queries use parameterized inputs — never string interpolation. API endpoints validate all inputs via Pydantic schemas. CORS is restricted to authorized domains only. Rate limiting is enforced on authentication and API endpoints.

6. OAuth & Platform Connections

Cosma connects to advertising platforms using OAuth 2.0 with minimum necessary scopes (read-only where possible). Tokens can be revoked at any time by disconnecting the platform in Settings, which immediately deletes stored tokens.

7. Monitoring & Incident Response

Application errors are captured by Sentry with PII scrubbing. Structured logging provides audit trails for all data access. Security incidents affecting customer data are communicated within 72 hours per our DPA.

8. Compliance Roadmap

We are working toward SOC 2 Type II certification. Current measures align with SOC 2 Trust Service Criteria for security, availability, and confidentiality. Our DPA is available for customers requiring GDPR compliance documentation.

9. Responsible Disclosure

If you discover a security vulnerability, please report it to security@cosma.ad. We ask for reasonable time to address issues before public disclosure. We do not pursue legal action against good-faith researchers.