// Trust & Security Report
Cognii, Inc.
AI-powered educational technology suite for K-12, higher education, and corporate training: Virtual Learning Assistant (conversational tutoring chatbot), Assessment Engine (NLP open-response grading), Analytics Platform (instructor dashboards), and Authoring Tools. Integrates via LTI, hosted SaaS, or API.
Certifications held
0
Maturity
Startup
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
source: cognii.comNo public evidence. No SOC 2 report or attestation found on cognii.com, in search results, or in any third-party listing. Multiple security/trust path attempts (cognii.com/security, /trust, /data-security, /compliance) returned HTTP 404.
source: cognii.comNo public evidence. ISO 27001 certificate or scope document not found on cognii.com or in any external search result.
source: cognii.comNo public evidence. HIPAA is not mentioned on cognii.com. The company operates in EdTech, not healthcare, and no BAA or HIPAA compliance statement was found.
source: cognii.comGDPR rights acknowledged for EU residents in the privacy policy: 'Under GDPR, if you are an EU resident, you may request that we provide access to and/or a copy of certain information we hold about you [...]'. No DPA is published and no formal GDPR adequacy documentation is offered. Privacy policy last updated March 20, 2019 and may not reflect current GDPR obligations.
source: cognii.comFERPA posture is asserted, not certified. Privacy policy states: 'Our collection and use of Student Data provided by a Teacher or School is governed by our Terms of Service and by the provisions of the Family Educational Rights and Privacy Act (FERPA).' No independent FERPA audit or certification is documented.
source: cognii.comNo public evidence. ISO 42001 not mentioned on cognii.com or in any external source.
source: cognii.comNo public evidence. CSA STAR not mentioned on cognii.com or in any external source.
source: cognii.comNo public evidence. PCI DSS not mentioned. Billing information is collected but no PCI compliance statement is published.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
United States primarily. Policy states: 'Your information collected through the Service may be stored and processed in the United States or any other country in which Cognii or its subsidiaries, affiliates or service providers maintain facilities.' No specific cloud provider or data residency commitment is disclosed.
Unknown and unaddressed. The privacy policy (last updated March 2019, predating modern AI training disclosures) permits Cognii to 'collect, analyze, and share anonymized or aggregated data or data derived from Student Data for certain purposes, but only if the disclosure of such data could not reasonably identify a specific individual or specific School.' Whether this clause covers AI model training is not clarified. No opt-out mechanism for AI training is mentioned. The policy is silent on generative AI or model training entirely.
// Security controls
Encryption in transit
SSL/TLS. Privacy policy states: 'We use industry-standard Secure Socket Layer (SSL) encryption technology to safeguard the account registration process and sign-up information.'
cognii.comEncryption at rest
Partially implied. Privacy policy mentions 'data encryption' among security safeguards but does not specify encryption at rest or the algorithm used.
cognii.comAccess controls
Limiting access to personal data to employees who require it to perform their job functions, per privacy policy.
cognii.comEmployee training
Privacy policy states Cognii provides 'periodic training for its employees involved in the collection and dissemination of Student Data.'
cognii.comData retention and deletion
Data retained only as long as necessary to deliver services. Deleted upon account deletion request, with a 1-year backup retention period after deletion.
cognii.comThird-party security assessment
None found. No penetration tests, SOC reports, or third-party security audits are publicly disclosed.
cognii.comIncident response / breach notification
Not addressed in the publicly available privacy policy or terms.
cognii.com// Products & data scope
data: Student responses, learning session data, email addresses, class roster data provided by teachers.
Chatbot-style tutoring that collects open-ended student answers. Student data owned and controlled by the School/Teacher per privacy policy. No AI training opt-out disclosed.
data: Student written responses, grading data, instructor-authored rubrics.
NLP-based scoring; accuracy described as 'comparable to human scoring.' No independent validation or third-party audit of the NLP pipeline disclosed.
data: Aggregated and individual student performance data, session replay data.
Real-time dashboards with concept-level insights. Session replay raises additional privacy considerations not addressed in the 2019 privacy policy.
data: Instructor-created content, assessment items.
Content creation interface for educators. Data scope is primarily instructor-generated material.
// What to watch
- OUTDATED PRIVACY POLICY: Last modified March 20, 2019. Does not address AI model training, generative AI, modern data transfer mechanisms (SCCs replacing Privacy Shield), or current GDPR obligations. Material gap for a company handling K-12 student data.
- NO FORMAL SECURITY CERTIFICATIONS: No SOC 2, ISO 27001, HIPAA, or equivalent found for a platform that processes student data including minors. Dedicated security/trust pages return HTTP 404.
- AMBIGUOUS AI TRAINING CLAUSE: The 2019 privacy policy permits use of anonymized/aggregated student data 'for certain purposes' without defining whether AI model training is included. No opt-out is offered. This is a material flag for an AI-native EdTech company.
- NO DPA AVAILABLE: No Data Processing Agreement (DPA) found publicly. Required for GDPR-compliant data controller/processor relationships with EU institutions.
- VERY SMALL COMPANY: Reported ~$641K revenue and ~1-person team in 2024 (per Latka). Raises questions about the capacity to maintain and audit a security program at the level expected for an EdTech platform handling minors' data.
- VAGUE DATA REGION: Policy states data may be processed in 'the United States or any other country in which Cognii or its subsidiaries, affiliates or service providers maintain facilities.' No specific commitment to US-only or EU data residency.
- NO BREACH NOTIFICATION POLICY: Privacy policy and terms do not address incident response or data breach notification timelines.
- STUDENT DATA INCLUDES MINORS: Children under 13 require parental permission per policy, but no COPPA certification or FTC SafeHarbor seal is claimed.
// At a glance
Pricing model
Not publicly disclosed. Contact sales model. Integrations via LTI, hosted SaaS, or API. Likely per-institution or per-seat contract pricing.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Cognii, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
cognii.com