Secure by architecture.
Cohesor sits on the critical path between your agents and the models — so security isn't a feature bolted on later, it's how the system is built.
Encrypted at rest
Provider credentials are Fernet-encrypted at rest and never returned to the browser — not even to you, once stored.
Hashed gateway keys
Gateway keys are shown once and stored only as a SHA-256 hash. We resolve requests by hash — the plaintext key never touches our database.
Client-side OAuth
MCP tool tokens stay encrypted on the client. Cohesor brokers the call without persisting your Slack, GitHub or Google credentials.
Tenant isolation
Every organization is a cleanly isolated tenant. Keys, usage, tools and billing never cross the boundary between workspaces.
Full audit trail
Every model call and tool invocation is logged per tenant with status and metadata — so you always know what ran and why.
Least-privilege by default
Keys are scoped and revocable, budgets are enforced on the hot path, and access follows role boundaries across the org.
Compliance
On the path to SOC 2.
We're actively pursuing SOC 2 Type II and building our security program to enterprise standards from day one. Need our current documentation, a DPA, or to run a vendor review?
Request security docsSOC 2 Type II
In progress
Data Processing Agreement
Available on request
Vendor security reviews
Enterprise plans
How we handle your data
Requests flow through Cohesor only to be compressed, routed and metered before being forwarded to the model provider. We record usage metadata — token counts, model served, cost and savings — to power your dashboard and billing. We do not sell your data, and we do not use your prompts to train models.
Subprocessors
- Model providers — the upstream LLM providers that serve your selected models.
- Cloud infrastructure — our hosting and managed database provider.
- Authentication — our identity provider for dashboard sign-in.
A current, detailed subprocessor list is available to customers on request. Questions? Reach us at hello@cohesor.com.
Run a security review with us.
We're happy to walk your team through our architecture and controls.