> For the complete documentation index, see [llms.txt](https://docs.kosmoslabs.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.kosmoslabs.ai/security-overview.md). # Security Overview **V1.3 · Updated May 2026** {% hint style="success" %} **Read-only by design.** Kosmos requests minimum required scopes across all connected systems. We read signal metadata to surface root cause; we never write to your source systems, and we never duplicate raw data beyond what correlation requires. {% endhint %} *** ## At a Glance * **0** high-severity findings — OWASP ZAP DAST across 247 endpoints (Mar 2026) * **TLS 1.3** encryption in transit * **OAuth 2.0** read-only integrations across all connectors * **SOC 2 Type 1** targeted no later than June 30, 2026 *** ## Infrastructure & Application Security ### GCP-Native Architecture Kosmos is deployed entirely on Google Cloud Platform. No third-party infrastructure providers are used for compute, storage, or networking. **Services in use:** * **Cloud Run** — stateless API and service execution * **Cloud SQL (PostgreSQL)** — structured signal and correlation data * **Google Cloud Storage** — signal metadata and artifact storage * **DuckDB** — embedded analytical query engine for correlation workloads * **Vertex AI (Gemini 2.5 Flash)** — RCA generation and `text-embedding-004` embeddings ### Encryption * **In transit:** TLS 1.3 across all endpoints and service-to-service calls * **Application layer:** OAuth tokens encrypted before storage * **Secrets:** Managed in GCP Secret Manager with version control and access audit logs ### Authentication * **User sessions:** Firebase Auth; tokens validated on every API call * **Service-to-service:** GCP IAM service accounts; no long-lived credentials shared across services ### Multi-Tenant Isolation Data is isolated at the application layer. Every record, query, and storage operation is scoped by organization identifier. Tenant boundaries are enforced regardless of storage backend. ### CSRF & Rate Limiting * State token validation on all OAuth authorization flows * Double-submit cookie pattern on all state-changing requests * IP-based rate limits on all public-facing endpoints ### Audit Trail & PII Redaction Auth events, integration activity, and RCA generation are written to a structured audit trail. Email addresses and credentials are redacted before log emission. *** ## Data Handling ### What Kosmos Reads Signal metadata from connected systems: issues, tickets, commits, messages, and traces. All integrations operate on minimum required, read-only scopes. ### What Kosmos Stores Signal metadata and correlation results only. Kosmos does not duplicate raw source records beyond what correlation requires. Data is stored in Cloud SQL (PostgreSQL), Google Cloud Storage, and DuckDB. ### Data Deletion On contract termination, all customer data is deleted within **30 days**. Hard-delete is available on written request to . ### Subprocessors * **Google Cloud Platform** — compute, storage, networking * **Vertex AI (Gemini 2.5 Flash)** — RCA generation and `text-embedding-004` embeddings * **Firebase Auth** — user authentication A complete subprocessor list including notification providers is available on request. *** ## Connected Systems ### Generally Available Jira · Salesforce · ServiceNow · Zendesk · GitHub · Bitbucket · GitLab · Azure DevOps · Slack · Linear · Pylon ### Preview {% hint style="info" %} **OpenTelemetry** is currently in preview. Supported observability platforms: Datadog, Grafana, Splunk, Dynatrace, AWS CloudWatch, Azure Monitor, Google Cloud Observability, and New Relic. Contact your account team to enable OTel for your organization. {% endhint %} *** ## SOC 2 Certification Path ### ✅ Complete — Mar 2026 · Codebase Security Review OWASP ZAP DAST scan across 247 endpoints. **0 high-severity findings.** ### ✅ Complete — Apr 2026 · Salesforce AppExchange Security Review Kosmos passed the Salesforce AppExchange security review. The managed package is available for installation in production and sandbox Salesforce orgs. [View on AppExchange](https://appexchange.salesforce.com/appxListingDetail?listingId=a0NHu00000srMgrMAE). ### ✅ Complete — May 2026 · P0 Audit Blockers Vendor risk register, data processing agreements (DPAs), and incident response plan finalized. ### 🟣 Targeted — Jun 2026 · SOC 2 Type 1 Audit Auditor engaged for point-in-time controls assessment. Target completion **no later than June 30, 2026.** ### 🟣 Targeted — Q3/Q4 2026 · SOC 2 Type 2 Audit Accelerated observation period based on scope. Type 2 report targeted Q3/Q4 2026. *** ## Security Contact Security inquiries are answered within **1 business day**. **Email:** Available on request: * Penetration test results * Data Processing Agreement (DPA) * Security questionnaire responses * Complete subprocessor list *** **Questions?** Contact | [app.kosmoslabs.ai](https://app.kosmoslabs.ai/) © 2026 Kosmos AI Labs, Inc. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.kosmoslabs.ai/security-overview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.