Cognite Security Appendix

This Security Appendix (“Security Appendix”) is an integral part of the Master Subscription and Professional Services Agreement, and/or such other agreement entered into between the Customer and Cognite (the “Agreement”). Capitalized terms used but not defined in this Security Appendix shall have the meaning set out in the Agreement.

This Security Appendix further describes the technical and organizational measures referred to in the Agreement, and applies to both the Subscription Items and the Professional Services.

Cognite maintains the security measures described in this Security Appendix as part of its organization-wide information security program (the "Security Program"). Cognite may update these measures from time to time, provided that any update maintains a comparable or better level of protection for Customer Data and does not materially reduce the overall level of security afforded under this Security Appendix.

Cognite makes its current certifications, attestations, audit reports, and sub-processor list available through the Cognite Trust Centre (https://trust.cognite.com), which is updated from time to time.

To the extent this Security Appendix and the Data Processing Agreement both address measures applicable to Personal Data, the Data Processing Agreement shall, in case of conflict with the Security Appendix, prevail with respect to Processing of Personal Data. For the purposes of this Security Appendix, the terms "Processing" and "Personal Data" shall have the meanings given to them in the Data Processing Agreement.

1. Deployment Model

1.1 Architecture

The Subscription Items are provided as a software-as-a-service platform hosted on the infrastructure of established cloud service providers. The platform is built on a microservices architecture deployed across Cognite's chosen cloud service provider infrastructure using container-based orchestration. All Customer Data processed by Cognite in the delivery of the Subscription Items resides within the Customer's designated cluster and project, as described below. Cognite does not operate its own data centres. The security and physical controls applicable to the underlying infrastructure are provided by the relevant cloud service provider, as described in the physical and environmental controls section of this Security Appendix.

1.2 Shared Responsibility Model

The Subscription Items are provided under a shared responsibility model in which both Cognite and the Customer have defined security responsibilities. Cognite is responsible for the security of the infrastructure, platform, and systems used to deliver the Subscription Items, as described in this Security Appendix. The Customer is responsible for its configuration and use of the Subscription Items and for the security of its own environment, systems, and users, including without limitation the configuration of its identity provider, the management and safeguarding of access credentials, the security of its source systems and network connections, and compliance with applicable laws in its use of the Subscription Items. Cognite publishes its shared responsibility model through the Cognite Trust Centre (https://trust.cognite.com), which provides further technical guidance on the allocation of responsibilities between the parties.

1.3 Data Storage

Customer Data is stored within a CDF cluster - the cloud environment in which the Customer's CDF organisation is deployed. Customers may be provisioned on a multi-tenant cluster, in which cloud storage and computing resources are shared with other Cognite customers using logical isolation controls, or on a dedicated cluster, in which cloud storage and computing resources are used exclusively by the Customer's organisation. In either case, Customer Data within a CDF project is logically isolated from the data of other customers. The cluster and cloud service provider applicable to the Customer are set out in the Order Form. Cognite shall not move Customer Data from the designated cluster without the Customer's prior written consent.

2. Deployment Regions

Customers select the region in which their CDF organisation is deployed from the regions made available by Cognite at the time of provisioning. Available regions span Microsoft Azure, Amazon Web Services, and Google Cloud Platform, across North America, Europe, Middle East, Asia Pacific, Japan, Brazil, and India. The current list of available regions and their corresponding cloud service providers is published at docs.cognite.com/cdf/admin/clusters_regions and is updated as new regions are made available. Cognite shall not transfer or replicate Customer Data to a region other than the Customer's designated region without the Customer's prior written consent, except as required to deliver the Subscription Items or as required by applicable law.

3. Certifications, Audits, and Reporting

3.1 Independent Third Party Audits

The Security Program is audited by independent third parties at least annually.

3.2 Certifications and Attestations

Cognite uses independent third-party auditors to assess the Cognite Security Program annually, as described in the following audits, regulatory standards, and certifications:

  • SOC 2 Type II
  • ISO/IEC 27001
  • ISO/IEC 27018

3.3 Access to Reports

The Customer may access available audit reports and certificates through the Cognite Trust Centre (https://trust.cognite.com), subject to the applicable access terms.

3.4 Continuity of Assurance

If Cognite ceases to maintain any certification referred to above, Cognite shall adopt or maintain an equivalent industry-standard framework.

4. Administrative Controls

4.1 Security Program and Governance

Cognite maintains the Security Program based on industry-recognized frameworks. The Security Program is approved by Cognite management, supports the measures set out in this Security Appendix, and is reviewed at least annually.

4.2 Security Organization and Oversight

Cognite maintains an executive function responsible for information security (such as a Chief Information Security Officer or equivalent), with defined roles and responsibilities for the Security Program.

4.3 Information Security Management System (“ISMS”)

Cognite has implemented a formal Information Security Management System (“ISMS”) in order to protect the confidentiality, integrity, authenticity, and availability of data and information systems, and to ensure the effectiveness of security controls over data and information systems that support operations.

4.4 Information Security Policies and Standards

Cognite maintains written security policies and standards, which are communicated to personnel and designed to protect the confidentiality, integrity, and availability of Customer Data.

4.5 Security Risk Management

Cognite maintains a comprehensive security risk management program, overseen by Cognite's Information Security Risk Committee, that identifies, assesses, and addresses security risks to the Subscription Items and Professional Services in order to protect the confidentiality, integrity, and availability of Customer Data.

4.6 Third-Party Risk Management

Cognite maintains a comprehensive third-party risk management program that assesses the security compliance of applicable third parties, including vendors and sub-processors, in order to appropriately measure and manage risk to Customer Data and the Subscription Items.

4.7 Change Management

Cognite maintains a documented change management policy, reviewed at least annually.

4.8 Personnel Screening

Cognite conducts background checks on all personnel prior to commencement of employment, to the extent permitted by applicable law. Checks are conducted through a third-party screening provider and are calibrated to the jurisdiction and role in question. They may include, where permitted, criminal record checks, verification of employment history, education verification, and/or screening against applicable sanctions and watchlists. All personnel are required to enter into written confidentiality agreements as a condition of employment.

4.9 Training and Awareness

Cognite provides security awareness training to all personnel upon hire, at least annually thereafter, and as needed in response to material changes to the threat environment or Cognite's security policies and procedures. Personnel are required to acknowledge and agree to Cognite's applicable security policies and procedures as a condition of onboarding, and to re-acknowledge them following any material update. Personnel who fail to complete required training or to provide required acknowledgements are subject to appropriate disciplinary measures.

4.10 Access Control

Cognite maintains documented processes for granting and revoking personnel access to systems used in the delivery of the Subscription Items. Access is granted on the basis of a verified business need and subject to appropriate approval. Upon a personnel member's termination of employment or change of role, access rights are revoked promptly and Cognite-issued assets are recovered as part of a formal offboarding process.

4.11 Least Privilege

Cognite restricts access to systems and Customer Data in accordance with the principles of least privilege and need-to-know.

4.12 Access Reviews

Cognite reviews personnel access rights at least quarterly to identify and remediate access that is excessive, outdated, or inconsistent with a personnel member's current role.

4.13 Logging and Monitoring

Cognite maintains logging and monitoring controls across systems used to deliver the Subscription Items, designed to detect and respond to unauthorized access attempts and anomalous activity. The technical implementation of these controls is described in Sections 7 of this Security Appendix.

5. Physical and Environmental Controls

5.1 Corporate Offices

Cognite maintains physical and administrative safeguards at its corporate offices, including controlled access at entry points, visitor sign-in and escort requirements, badge-based access for personnel with regular privilege reviews, closed-circuit surveillance, and inventory tracking of Cognite-issued equipment and assets. Office networks are protected against unauthorized connection.

5.2 Cloud Service Provider Data Centers

Cognite hosts the Subscription Items on the infrastructure of established cloud service providers whose data centres are independently audited against recognized frameworks including ISO/IEC 27001 and SOC 2. Cognite reviews applicable cloud service provider certifications as part of its Security Program and requires that providers maintain appropriate physical and environmental controls, including controlled facility access, continuous security monitoring, fire detection and suppression, environmental controls, and power redundancy.

6. Hosting and Subcontractors

6.1 Cloud Hosting Model

The Subscription Items are provided as software-as-a-service and are hosted on the infrastructure of established cloud service providers and applicable cloud provider terms for the Subscription Items are as referenced in the Agreement.

6.2 Subcontractors

Cognite maintains a third-party risk management process for the subcontractors used to deliver the Subscription Items and Professional Services. Cognite’s current subcontractors in the provision of the Subscription Items are listed at https://www.cognite.com/en/company/legal/cognite-sub-processors.

The Processing of Personal Data by sub-processors is governed by the Data Processing Agreement, including the engagement of sub-processors that Process Personal Data, and the Customer’s related notification and objection rights.

7. Technical Security Controls

7.1 Access Control

Cognite manages access to the production systems used to deliver the Subscription Items through technical controls that enforce the administrative policies set out in Section 4. Each member of Cognite personnel is issued a unique identifier and is prohibited from sharing credentials. Technical controls are used to enforce role-based access, prevent unauthorized access, and ensure that access rights are consistent with the principles of least privilege and need-to-know described in Section 4.

7.2 Privileged and Administrative Access

Privileged and administrative access to the production environment used to deliver the Subscription Items is restricted to personnel for whom such access is operationally necessary and is subject to enhanced technical controls including multi-factor authentication. Privileged access rights are reviewed at least quarterly in accordance with Section 4.12.

7.3 Authentication and Authorization

Cognite requires multi-factor authentication for access to the production systems used to deliver the Subscription Items. Cognite enforces password requirements addressing minimum length, complexity, and expiry, and applies automatic session timeout and screen lock controls. Authorization is enforced through role-based access controls aligned with each personnel member's designated responsibilities.

7.4 Audit Logging and Monitoring

Cognite maintains audit logs of security-relevant events across the systems used to deliver the Subscription Items and monitors those systems for unauthorized access attempts and anomalous activity. Logs are retained for a minimum of twelve months, protected against unauthorized access, modification, and deletion, and are available to Customer upon written request as further described in the Online Documentation.

7.5 Encryption In Transit

Cognite encrypts Customer Data in transit using TLS 1.2 or higher. Weak protocol versions and vulnerable cipher suites are excluded from Cognite's accepted configuration. Cryptographic standards are reviewed periodically.

7.6 Encryption At Rest

Cognite encrypts Customer Data at rest using AES-256 encryption. Encryption at rest is implemented using the default encryption capabilities of Cognite's cloud service providers, with encryption keys managed by the applicable cloud service provider. Cryptographic standards are reviewed periodically.

7.7 Data Segregation

Where the Subscription Items are provided on a multi-tenant basis, Cognite employs logical controls designed to segregate Customer Data from the data of other customers. Access to Customer Data is controlled through the Customer's own identity provider.

7.8 Network Security and System Hardening

Cognite maintains a layered network security architecture designed to protect the production environment used to deliver the Subscription Items. Controls include network-level isolation between development and production environments, firewall and load balancer controls governing ingress and egress traffic, and service-to-service isolation within the production environment. System configurations and baseline settings are documented, maintained, and reviewed against industry-standard hardening practices. Configuration changes are subject to security review and approval prior to introduction into the production environment in accordance with Cognite's change management process.

7.9 Security Event Logging

Cognite maintains immutable logs of security-relevant events across the infrastructure and systems used to deliver the Subscription Items, including access attempts, authentication events, and anomalous activity detected by Cognite's intrusion detection and prevention systems. Security logs are protected against unauthorized access, modification, and deletion, and are retained for a minimum of twelve months.

7.10 Security Monitoring and Threat Detection

Cognite continuously monitors the infrastructure, services, accounts, and logs used to deliver the Subscription Items for security-relevant events, anomalous activity, and unauthorized access attempts. Monitoring is performed on a twenty-four hour, seven day per week basis using a combination of automated tooling and security specialist oversight. Cognite maintains detection, alerting, and response capabilities designed to identify and contain security threats in a timely manner.

7.11 Malware Protection

Cognite protects the production environment used to deliver the Subscription Items against malicious code and intrusions through platform-level threat detection capabilities provided by its cloud service providers, using current threat telemetry. Cognite-managed devices used to develop and operate the Subscription Items are protected by anti-malware software.

7.12 Vulnerability Management and Remediation

Cognite maintains a continuous vulnerability management process covering network scanning, container scanning, dependency scanning, and static code analysis. Vulnerabilities are identified using industry-standard tools referencing the Common Vulnerabilities and Exposures (CVE) framework, logged, assigned a named owner, and prioritized for remediation based on assessed risk and potential impact to the Subscription Items. Cognite shall use commercially reasonable efforts to remediate verified vulnerabilities within the following target timeframes, measured from the date a vendor-supplied patch becomes available for publicly disclosed third-party vulnerabilities, or the date the vulnerability is confirmed for internally identified vulnerabilities:

  • Critical: 15 days
  • High: 30 days
  • Medium: 90 days
  • Low: 120 days

Cognite maintains a vulnerability disclosure policy, available through the Cognite Trust Centre https://trust.cognite.com

7.13 Secure Software Development and Change Management

Cognite maintains a Secure Software Development Life Cycle ("SSDLC") governing the development of the Subscription Items, incorporating criteria for secure design and release, protection of source code from unauthorized access and tampering, and identification and management of known vulnerabilities. Material changes to the Subscription Items are subject to formal change management processes designed to ensure that changes are planned, tested, and approved prior to deployment, including processes governing both regular and emergency changes.

7.14 Penetration Testing

Cognite engages independent third parties to conduct penetration testing of the Subscription Items at least annually. Findings are tracked and remediated in accordance with Cognite's vulnerability management process. Executive summaries of penetration test results are available to customers through the Cognite Trust Centre (trust.cognite.com), subject to applicable access terms. Cognite maintains a vulnerability disclosure policy through which security researchers and customers may report suspected vulnerabilities, available through the Cognite Trust Centre (https://trust.cognite.com).

8. Resilience, Availability, and Backups

8.1 Backups

Cognite maintains automated backups of Customer Data and system components used to deliver the Subscription Items. Backup schedules, retention periods, and restore procedures are set out in the Cognite SLA. Cognite offers two restore approaches depending on the nature and scope of a data loss event: a full cluster restore for infrastructure or data integrity loss across the platform, and a CDF project restore for incidents limited to one or a limited number of customer projects. The Customer remains responsible for maintaining its own backups of data in its source systems and for resuming data feeds from the relevant restore point following any recovery event.

8.2 Business Continuity and Disaster Recovery

Cognite maintains business continuity and disaster recovery plans designed to support the restoration of the Subscription Items following a disruptive event. Availability commitments, including recovery time and recovery point objectives, are set out in the Cognite SLA. Disaster recovery is tested at least twice per year through multi-service exercises engaging all Cognite service teams, as well as through single-service tests for new or significantly changed services prior to production deployment. Security controls are maintained consistently between the production and disaster recovery environments.

8.3 Secure Data Deletion and Return

Upon expiration or termination of the Agreement, Cognite shall securely delete or return Customer Data in accordance with the Agreement. Deletion is carried out using industry-standard methods designed to render Customer Data unrecoverable. Where Customer Data is stored on media that cannot be securely overwritten, the relevant media is physically destroyed or rendered inaccessible prior to disposal.

9. Security Incident Management

9.1 Incident Response Program

Cognite maintains a formalized security incident response policy as part of the Security Program, defining roles, responsibilities, and internal processes for detecting, managing, and resolving security incidents. Cognite's incident management team conducts incident response testing and exercises on a regular basis. Cognite maintains an internal significance assessment process, aligned with applicable regulatory frameworks, to determine whether and when notification obligations are triggered.

9.2 Definition of Security Event

For the purposes of this Security Appendix, a "Security Event" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to Customer Data under Cognite's control. For the avoidance of doubt, the definition of Security Event in this Security Appendix applies solely for the purposes of the notification and response obligations set out in this Section 9 and does not limit or modify the definition of that term in the Agreement.

A Security Event does not include: a security occurrence that Cognite is investigating but has not confirmed; or an unsuccessful attempt or activity that does not result in actual unauthorised access to or compromise of Customer Data, including without limitation failed login attempts, port scans, denial of service attacks, firewall probes, broadcast attacks, or packet inspection that does not result in access beyond network headers.

Where a Security Event involves the Processing of Personal Data, it shall also constitute a Personal Data Breach as defined in the Data Processing Agreement, and the notification obligations for Personal Data Breaches in the Data Processing Agreement shall apply in addition to those set out below.

9.3 Incident Classification and Investigation

When Cognite becomes aware of a potential security occurrence, Cognite's security team shall conduct a prompt investigation to determine whether a Security Event has occurred and, if so, its nature and scope. Cognite shall conduct this investigation without undue delay. The notification obligations set out below are triggered upon Cognite's confirmation that a Security Event has occurred - not upon Cognite becoming aware of a potential occurrence under investigation. Where Cognite determines that a confirmed Security Event constitutes a significant incident under applicable law, Cognite's separate regulatory notification obligations to competent authorities apply independently of and in addition to the contractual notification obligations to the Customer set out below.

9.4 Customer Notification

Upon confirming that a Security Event has occurred in accordance with the classification process described above, Cognite shall notify the affected Customer without undue delay and no later than 48 hours from the date and time of that confirmation. For the avoidance of doubt, the 48-hour period runs from the point at which Cognite confirms that a Security Event has occurred following its investigation - not from the point at which Cognite first becomes aware of a potential occurrence under investigation.

Cognite's notification shall include the information then available, which may include: a description of the nature of the Security Event; the categories of Customer Data affected; the approximate number of records or users concerned; the likely consequences of the Security Event; and the measures taken or proposed by Cognite to address it. Where information is not yet available at the time of initial notification, Cognite shall provide further updates as the investigation progresses. Cognite's notification does not constitute an acknowledgement or admission of fault or liability. Where a Security Event constitutes a Personal Data Breach, notification obligations are governed by the Data Processing Agreement.

9.5 Post Incident Review

Following resolution of a Security Event that has impacted Customer Data, Cognite shall conduct a post-incident review including root cause analysis and lessons learned. A summary of the root cause analysis may be shared with the affected Customer upon request, subject to Cognite's confidentiality obligations and without prejudice to any ongoing investigation or legal proceedings.

9.6 Confidentiality of Incident Information

Cognite shall maintain confidentiality regarding the specific nature and impact of a Security Event on a given Customer. The Customer acknowledges that a Security Event may affect more than one Cognite customer and that Cognite may be required to notify other affected parties and regulatory or supervisory authorities in connection with an ongoing Security Event.

10. Compliance Assurance

Cognite demonstrates compliance with its security obligations under this Security Appendix through the maintenance of industry-recognised certifications and independent audit programmes, currently including SOC 2 Type II, ISO/IEC 27001, and ISO/IEC 27018 and other third-party audit reports or attestations in the Cognite Trust Centre (trust.cognite.com). Reports and certifications issued by independent qualified auditors in connection with such programmes are conducted at least annually and are made available to the Customer through the Cognite Trust Centre, cf. Section 3.3.

Such independent audit reports and certifications, together with executive summaries of penetration test results and additional materials made available through the Cognite Trust Centre, serve as evidence of Cognite's compliance with the Security Program and the security obligations set out in this Security Appendix.