Skip to content

Trust & Due Diligence

Last updated: April 16, 2026

This page exists so investors, regulators, enterprise buyers, and journalists can verify every claim we make. We separate what we can prove today from what we are working toward. If anything on this page is inaccurate, email [email protected] and we will correct it within 24 hours.

1. Legal Entity

  • Entity: Cohesion Auth LLC
  • Jurisdiction: Washington State, USA
  • Status: Active
  • Domain: cohesionauth.com (registrant on file)
  • Planned restructure: Delaware C-Corp prior to institutional round (Stripe Atlas).

2. Intellectual Property

  • Provisional patent: Filed April 13, 2026. 31 claims covering embedded judgment-measurement middleware, telemetry, scoring, and intervention protocols. Non-provisional deadline: April 13, 2027.
  • Published research: SSRN preprint 6571519 — "Judgment Decay: A Measurement Framework for Human Oversight of AI." 19 peer-reviewed citations.
  • Trademark: Pending for "COHESION" in Class 42 (computer services).

3. Regulatory Context

  • EU AI Act Article 14 (human oversight requirement): General-purpose and high-risk AI systems must provide effective human oversight. Enforcement: August 2, 2026. Penalties up to €35M or 7% of global annual turnover, whichever is higher. Source: Regulation (EU) 2024/1689.
  • NIST AI RMF: Our Judgment Independence Score maps to the MEASURE function (MS-1.1, MS-2.8, MS-4.1). Mapping documented and available on request.
  • U.S. Workforce Pell: Public comment filed April 8, 2026. 5 attachments including N.C. Wired Belt exhibit.

4. Product & Technology Posture

  • Scoring API: Deployed on Cloudflare Workers with D1 (SQLite). Strict per-origin allowlist (no wildcard), validated on preflight. Rate limited. Endpoint documentation: /api.
  • Website transport: HTTPS everywhere via Cloudflare Pages. HSTS 180 days, includeSubDomains (HSTS preload scheduled for 2026-07-16 after 90 days of clean behavior).
  • Content Security Policy: Strict CSP on all routes — no unsafe-inline for scripts, object-src 'none', base-uri 'self', form-action 'self'. Allowed third-party script domains are limited to Cloudflare Web Analytics and Cloudflare Turnstile (marketing pages only; /demo and /api retain stricter CSP).
  • Fonts: Self-hosted WOFF2. No runtime calls to Google Fonts or any third-party CDN.
  • Analytics: See §4e.

4a. API Key Handling

  • Hashed at rest. Customer API keys are stored as SHA-256 hashes of prefix|remainder|pepper. The pepper is held in Cloudflare Secrets Store and never appears in D1, logs, source control, or backups. A plaintext database dump is insufficient to impersonate a customer.
  • Key format. ck_live_ + 26-character Crockford-base32 (~130 bits of entropy from crypto.getRandomValues). The 8-character prefix after ck_live_ is indexed for lookup and is not a secret.
  • Constant-time compare plus an 80 ms timing floor on every authentication outcome (unknown prefix, wrong hash, inactive organization, expired key, rate-limited). All auth failures return an identical response envelope ({"error":"UNAUTHORIZED",…}); the real reason is recorded to audit_log but never disclosed to the caller.
  • Rotation & revocation. Keys can be rotated or revoked via authenticated admin calls. Rotated keys are displayed once and never re-retrievable from the service. Revocation is immediate.
  • Deprecated transport. Passing the key in the POST body (api_key field) is deprecated as of 2026-04-17 and removed 2026-07-15. Requests using the deprecated path receive Deprecation: true + Sunset response headers.

4b. Rate Limiting (two layers)

  • Layer 1 (per-IP, pre-auth). Cloudflare Workers Rate Limiting API. 60 requests / 60 seconds per client IP, enforced at the edge before any database touch or body parse. Rejected requests receive HTTP 429 with an integer Retry-After header per RFC 7231.
  • Layer 2 (per-key, post-auth). 1000 requests / 60 seconds per authenticated key (keyed on the 8-char prefix, never the plaintext), implemented as an atomic sliding-window counter in D1. Burst tolerant; single-key abuse cannot degrade the shared service.
  • Both layers write to audit_log. Both return the same UNAUTHORIZED envelope shape to prevent enumeration by error-body diffing.

4c. Bot Mitigation & Web Application Firewall

  • Cloudflare WAF. Managed Ruleset and OWASP Core Ruleset deployed at paranoia level 2 with Managed-Challenge action. Legitimate API traffic with a valid X-API-Key header bypasses the challenge via an explicit rule exception; unauthenticated /api/* access remains protected.
  • Turnstile. The contact form is protected by Cloudflare Turnstile with server-side verification against challenges.cloudflare.com/turnstile/v0/siteverify. Missing or invalid tokens yield HTTP 403; verification-service outages fail closed.
  • We do not claim these layers prevent targeted attacks or zero-day exploits. They raise the bar for automated abuse.

4d. Cron-Driven Retention & Anomaly Detection

  • Interaction retention. Telemetry is deleted after 24 months per COHESION Certification Spec §L1. A nightly Cloudflare Cron Trigger (03:00 UTC) paginates DELETEs in 10,000-row batches.
  • Short-lived records. Rate-limit rows are purged after 2 hours; alerts and audit_log rows are purged after 90 days. Every cron run is logged in cron_runs.
  • Monthly reset. Per-organization usage counters reset at 00:00 UTC on the first of each month; 12 months of history are preserved for audit.
  • Volume-anomaly alerts. If an organization's 24-hour interaction rate exceeds 10× its 30-day rolling 95th percentile, a HIGH-severity row is inserted into alerts. The request is not throttled — rate limiting is a separate layer.

4e. Analytics & Privacy

  • Cloudflare Web Analytics runs on marketing pages only (/, /trust/, /humanity/, /enterprise/, /research/). Cookieless, no client-side state, no IP collection, no fingerprinting, no cross-site tracking, no free-text capture.
  • The /demo/ and /api/ surfaces deliberately run no analytics. The demo's consent-gated telemetry is a separate, opt-in layer documented inside the demo itself.
  • No GDPR consent banner is required for Cloudflare Web Analytics. We respect the DNT header should a client set it.

4f. Future Work (Not Yet Deployed)

  • Cloudflare Access on a future /v1/admin/* surface (requires Cloudflare Teams plan, paid). Documented but not implemented this cycle.
  • HSTS preload submission to hstspreload.org after 2026-07-16 (90 days of clean HSTS behavior).
  • SOC 2 Type I audit planned post-seed; Type II in year two.

5. Data Handling

  • Demo telemetry is collected only after explicit consent. We do not collect IP addresses, device fingerprints, user agent strings, geolocation, or any free-text reasoning. Each session uses a fresh random identifier not linked to any prior session.
  • No PII is stored in the scoring API's D1 database.
  • Contact form data (name, email, company, message) is stored only to respond to inquiries. We do not sell, rent, or share.
  • Full data practices: Privacy Policy.

6. What We Do Not Claim

We believe transparency about the boundary of our claims matters more than the claims themselves.

  • We are not SOC 2 audited. SOC 2 Type I is planned after seed funding; Type II in year 2.
  • We are not ISO 27001 certified.
  • We are not FedRAMP authorized.
  • We do not currently have HIPAA, GDPR, or PCI attestations. (Demo stores no PHI, no EU personal data, and no card data.)
  • We are pre-revenue. We have signed pilot interest but no closed-won paid deployments at time of writing.
  • We have no independent clinical validation of the Judgment Independence Score. Citations backing the 7 dimensions are published peer-reviewed work in human-factors, but the composite score itself has not yet been validated in a peer-reviewed clinical trial.
  • We do not claim any enforcement action under the EU AI Act has been brought against a customer. The Act's Article 14 enforcement date is August 2, 2026; no case law exists yet.
  • We do not claim endorsement by any regulator, standards body, or academic institution.

7. Responsible Disclosure

If you find a security issue, please email [email protected] with "SECURITY" in the subject. We will acknowledge within 72 hours. We do not yet have a formal bug bounty; we will credit researchers publicly with permission.

8. Due Diligence Contact

For investor, regulatory, or enterprise due diligence requests, contact:

Peyton Flock, Founder
COHESION — Cohesion Auth LLC
Email: [email protected]
Phone: (509) 530-1091
Washington State, USA

9. Change Log

  • 2026-04-17: Add §4a–4f: hashed-at-rest API keys with pepper, two-layer rate limit, WAF + Turnstile bot mitigation, cron-driven retention & anomaly detection, cookieless Web Analytics, future-work list. HSTS rolled back to 180 days (preload scheduled 2026-07-16 after 90-day soak).
  • 2026-04-16: Initial publication of Trust page.