Every design decision at CookieAI starts with one question: does this protect client data? From encryption primitives to deployment topology, security is the foundation, not an afterthought.
Data Sovereignty
Two deployment models, one commitment: your data remains under your control at all times.
Technical Security
AES-256-GCM at rest. TLS 1.3 in transit. HTTPS everywhere, no exceptions. Your data is unreadable to anyone without the keys.
Two-factor authentication (TOTP). Session management with 256-bit entropy tokens. Maximum 10 concurrent sessions per user.
Role-based permissions with strict team isolation. Leaders maintain oversight of member conversations. No cross-team data leakage.
Fail2ban protection against SSH brute force and bot scanning. Rate limiting on all API endpoints. Automated threat response.
FADP-compliant access logging. Full data export capability on request. Right to erasure honored within 48 hours.
Nginx with strict security headers: HSTS, Content Security Policy, X-Frame-Options. No unsafe-eval. Server tokens hidden from all responses.
Compliance
CookieAI meets the requirements of Swiss and European data protection law by design, not by bolt-on compliance.
Full compliance with the Swiss Federal Act on Data Protection. Right to erasure, data export on request, and comprehensive access logging are built into every deployment.
Compliant with the EU General Data Protection Regulation. Data minimization by default, explicit consent management, and the right to be forgotten are core platform capabilities.
No data is sent to third-party AI services like OpenAI or Anthropic. On-premise deployments process everything locally. CookieAI runs Qwen3 30B, a fully auditable open-source model. You can inspect every layer of the stack.
Our Commitments
Clear boundaries matter more than vague promises. Here is what we will never do with your data.