1. Compliance Overview
Welcome to Cognify ("we," "our," or "us"). This Compliance document outlines the standards, obligations, and frameworks governing your use of our AI-powered Cognitive Task Analysis (CTA) platform, website, and related services (collectively, the "Services").
Cognitive Task Analysis is the research and understanding of how people think when performing any activity. Human nature and how our brains work makes this challenging — we embed assumptions, prerequisites, and tacit knowledge into our explanations without realizing it. For example, medical professionals often don't describe how they sanitize before procedures or all the choice points in their decision paths, yet those are vital steps. Historically, capturing this has required large teams of human researchers working for extended periods. Cognify addresses this with AI, enabling efficient knowledge capture from Subject Matter Experts (SMEs) and ensuring human knowledge is preserved as technology progresses.
By accessing, registering for, or using any portion of the Services — including the invite-only AI chat interface, the management area, or any generated artifacts — you acknowledge and agree to comply with these standards.
2. Scope & Applicability
This Compliance document applies to all users of the Cognify platform, including but not limited to:
- Subject Matter Experts (SMEs) Individuals invited to contribute procedural knowledge, decision logic, and domain expertise through the AI-guided chat interface.
- Topic Managers Users who manage topics, oversee individual conversations, and review aggregated responses within the management area.
- Administrators Organizational personnel with elevated privileges to configure access, assign roles, and govern knowledge capture workflows.
- Artifact Consumers Users who access, deploy, or distribute generated Gold Standard Protocols, GEL Lesson Plans, or Process Flowcharts.
The Services are provided on an invite-only basis. Access is granted at the discretion of Cognify and the sponsoring organization. Unsolicited access attempts or sharing of invitation credentials with unauthorized parties constitutes a violation of this Compliance document.
3. Data Handling & Privacy
Cognify recognizes that the knowledge captured through our platform may include highly sensitive procedural information, proprietary processes, clinical protocols, and trade secrets. Our data handling practices are designed to protect this information at every stage.
3.1 Data Ownership
You retain full ownership of all knowledge, processes, and expertise you contribute to the platform. Cognify does not claim intellectual property rights over the source content provided by SMEs or organizations. You grant Cognify a limited license to process, aggregate, and store your data solely for the purpose of delivering the Services.
3.2 Data Aggregation
When multiple SMEs contribute to a topic, their individual responses are aggregated into a single cohesive output. This aggregation process is performed within Cognify's secure infrastructure. Aggregated data remains associated with the originating topic and organization and is not cross-referenced or shared with other users or organizations.
3.3 Data Retention
Data is retained for the duration of your active use of the Services and for a period consistent with applicable legal and contractual retention requirements. Upon termination of your account or upon written request, you may export or request deletion of your data in accordance with our data retention policy.
All data is encrypted using AES-256 standard at rest and TLS 1.3 in transit. Encryption keys are managed via Hardware Security Modules (HSM).
Role-based access control (RBAC) ensures that users can only access data within their authorized scope. Invite-only access prevents unauthorized entry.
4. AI Usage Compliance
Cognify employs advanced AI models to guide conversations with SMEs, aggregate responses, and generate structured artifacts. The following compliance obligations apply to AI-assisted features:
-
autorenew
AI as a Facilitator, Not a Replacement. The AI chat interface is designed to guide SMEs through comprehensive knowledge capture. It does not replace human judgment, verification, or domain expertise. All generated outputs should be reviewed and validated by qualified personnel before deployment in operational or clinical environments.
-
warning
No Reverse Engineering. Users must not attempt to reverse engineer, decompile, extract prompts, or otherwise analyze the underlying AI models, algorithms, or system prompts used in the guided chat or aggregation processes.
-
policy
Permitted Use Only. The AI features must be used solely for legitimate knowledge capture, training generation, best practice identification, and process optimization. Use of the AI to generate misleading, harmful, or deceptive content is strictly prohibited.
-
visibility
Transparency of AI Involvement. When deploying generated artifacts, users are expected to disclose that AI was involved in the aggregation and structuring process. The source SMEs and the AI-assisted nature of the output should be documented where relevant.
-
fact_check
Human-in-the-Loop Verification. Cognify recommends that all aggregated responses and generated artifacts undergo human review before being adopted as official protocols or training materials. The platform is a tool for knowledge structuring, not a substitute for professional validation.
AI Training & Improvement
Cognify continuously refines its AI models to improve knowledge capture accuracy. While your contributions may inform model improvement, no raw SME data, proprietary processes, or identifiable knowledge is used to train foundational AI models shared across customers. Data isolation is maintained at the organizational level.
5. Generated Artifacts
Cognify generates three primary types of artifacts from aggregated SME knowledge. Each carries specific compliance considerations:
verified Gold Standard Protocol
A comprehensive, step-by-step protocol derived from aggregated SME knowledge. This artifact captures not only the overt steps but also the embedded assumptions, prerequisite knowledge, and decision points that experts often omit when describing their processes.
Compliance note: Gold Standard Protocols generated through Cognify should be reviewed and approved by qualified personnel before being adopted as official organizational procedures. The protocol represents a synthesis of SME inputs, not a verified standard.
school Guided Experiential Learning (GEL) Lesson Plan
A structured training document designed to facilitate hands-on learning based on the captured procedural knowledge. GEL Lesson Plans translate expert knowledge into teachable formats that preserve the depth and context of the original expertise.
Compliance note: When deploying GEL Lesson Plans for training purposes, ensure that learners are appropriately credentialed for the subject matter and that the training aligns with organizational competency requirements and regulatory obligations.
flowchart Process Flowchart
A visual representation of the procedural workflow, including decision points, branching paths, and sequential steps. Flowcharts provide an at-a-glance understanding of the complete process and are particularly useful for identifying optimization opportunities.
Compliance note: Process Flowcharts may reveal proprietary workflows or competitive advantages. Distribution of flowcharts should be controlled in accordance with your organization's information security and intellectual property policies.
All artifacts are generated within Cognify's secure environment and are accessible only to authorized users associated with the originating topic. Artifact ownership remains with the sponsoring organization.
6. Enterprise Compliance
Organizations using Cognify may be subject to additional compliance requirements depending on their industry, jurisdiction, and the sensitivity of the knowledge being captured.
medical_information Healthcare & Clinical
Cognify is designed to support clinical knowledge capture. Our data handling processes are SOC 2 Type II compliant. For HIPAA-regulated environments, please contact our enterprise team to discuss Business Associate Agreements (BAAs) and clinical deployment considerations.
gavel Regulatory Industries
Organizations in regulated industries (e.g., pharmaceuticals, aerospace, defense) should ensure that knowledge capture and artifact generation processes comply with applicable regulatory frameworks (e.g., FDA 21 CFR Part 11, ISO standards).
description MSA Supremacy
If you are operating under a separate Master Services Agreement (MSA) or Enterprise Agreement, that agreement takes precedence over this Compliance document in the event of any conflict.
handshake Data Residency
For organizations with data residency requirements, please contact our enterprise team to discuss regional data hosting options and cross-border data transfer compliance.
Cognify is committed to supporting enterprise compliance obligations but cannot guarantee that generated artifacts will satisfy all regulatory requirements specific to your industry or jurisdiction. Organizations are responsible for validating artifacts against their applicable regulatory frameworks before deployment.
7. Security Standards
Cognify maintains an ongoing security program designed to protect the integrity, confidentiality, and availability of all data processed through the platform. Key security commitments include:
-
shield
SOC 2 Type II Certification. Our platform undergoes independent audits to verify compliance with SOC 2 Trust Service Criteria for security, availability, and confidentiality.
-
security_update
Continuous Monitoring. Infrastructure is monitored 24/7 with automated alerting for anomalous activity, unauthorized access attempts, and configuration changes.
-
backup
Disaster Recovery & Business Continuity. Redundant systems and automated backups ensure data availability and recovery in the event of infrastructure failure. Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are defined in enterprise SLAs.
-
admin_panel_settings
Access Management. Invite-only access, role-based permissions, and audit logging ensure that only authorized individuals can view or modify knowledge capture data.
-
bug_report
Vulnerability Management. Regular penetration testing, vulnerability scanning, and responsible disclosure processes are maintained. Critical vulnerabilities are addressed within agreed timeframes.
Users are also responsible for maintaining the security of their accounts, including using strong, unique passwords, enabling multi-factor authentication where available, and promptly reporting any suspected security incidents.
8. Governance & Auditing
Cognify supports organizational governance through audit trails, access logs, and activity reporting within the management area. These features enable organizations to maintain oversight of knowledge capture activities and ensure ongoing compliance.
8.1 Audit Trails
All user actions within the platform — including topic creation, conversation initiation, artifact generation, and data access — are logged with timestamps and user identifiers. These logs are retained in accordance with our data retention policy and may be accessed by authorized administrators for auditing purposes.
8.2 Compliance Updates
Cognify may update this Compliance document from time to time to reflect changes in technology, regulation, or our services. Material changes will be communicated through the platform or by direct notice. Continued use of the Services after such notice constitutes acceptance of the revised compliance standards.
8.3 Violations & Remediation
Violations of this Compliance document may result in suspension or termination of access to the Services. In cases of suspected misuse, unauthorized access, or data compromise, Cognify reserves the right to investigate, remediate, and report as required by applicable law.
If you have questions regarding compliance, wish to report a concern, or need assistance with your organization's specific regulatory requirements, please contact compliance@cognify.team.
Last Updated: July 1, 2026