How Cosmo meets Compliance Requirements and Saves Onboarding Time

Björn Schwenzer

Björn Schwenzer

min read

Cosmo: Full Lifecycle GraphQL API Management

Are you looking for an Open Source Graph Manager? Cosmo is the most complete solution including Schema Registry, Router, Studio, Metrics, Analytics, Distributed Tracing, Breaking Change detection and more.

How Cosmo meets Compliance Requirements and Saves Onboarding Time

One of the most frustrating things when introducing a new software or working with a new vendor is the due diligence process to satisfy information security and privacy requirements. You made a decision, but then things are being slowed down by the compliance review process where all you want is to get going and show some results. Fortunately, Cosmo is an easy sell to your CISO / legal team. This is why.

Select software / vendors smartly to minimize due diligence effort

I’ve been there, and I feel you. :) If you work as a dev, it’s super easy to just sign up for some cool service, check it out, and then decide that you want to use it because it makes your life so much easier (and, after all, it’s cool, right?). You talk to your manager, she agrees, budget is approved, and then there’s this tiny final step where you’re talking to your compliance folks. And then the fun starts.

Of course, due diligence is a good idea for new software and new suppliers, don’t get me wrong. While it can be a pain in the rear, it safeguards your company from costly mistakes and potential legal implications. However, these checks take their time, and you better not try to rush it. So what can you do to make sure you’re not stuck in a process taking months for a solution you need now?

Simple answer: look for the right software where security and privacy - core components for compliance - are part of the design and built-in from the ground up.

Compliance starts with the design

When we created Cosmo, we knew that the solution would be running at the core of business operations, passing sensitive data between services. Having built our WunderGraph API Integration SDK before gave us a head-start, also because we were able to talk with many users of the BFF framework about their needs in their specific set-up.

We believe in open-source software, also because it has several advantages over closed-source / proprietary software when it comes to compliance:

  • Transparency: anyone can review / audit the code
  • Customizability: changes can be made to meet specific requirements
  • Community: lots of eyeballs being able to spot security flaws or anything fishy you wouldn’t want in your software (shitstorm guaranteed!)
  • Open Standards: tasks like authentication are handled by relying on open standards / OSS software, too

In other words, we decided to build Cosmo and its components from the ground up with security, privacy and thus regulatory compliance in mind. And, most importantly, with the ability to run Cosmo fully on-prem.

The on-prem advantage of Cosmo

From our existing customers and users, we know how important it is to be able to run critical software in your own infrastructure, with no dependencies to any outside service. If you’re an enterprise, you’d want this for two reasons: compliance (obviously), but also to leverage your existing infrastructure and not have massive egress cost, which becomes a factor if you’re handling billions and billions of requests per month.

So in contrast to our main competitor, we made absolutely sure that you wouldn’t need some Cloud service to run Cosmo, but to make it optional. This decision was difficult for two reasons:

  1. Our competition does it, so the market obviously accepts it (to a certain degree), and it’s a great lever to make money
  2. Giving your software away basically for free doesn’t allow us to build a relationship with the users and improve our software

As a start-up, it’s all about runway, and removing all restraints for use of your software is a tough call to make. Yet, it is inevitable if you want to work with big enterprises for which compliance is more important than cost (or at least close to it ;).

Thanks to Cosmo’s uniqueness in being able to run fully self-hosted, we are able to satisfy compliance concerns before they really arise. And what’s even better, looking at the due diligence process: many of the items on the ISMS / ISO 27001 checklist can be simply ticked off because they don’t apply to Cosmo.

Does Cosmo send unencrypted data over the network? No, because it doesn’t phone home at all. Which WunderGraph employees need access to Cosmo, and how is access being restricted and controlled? Not applicable, as the customer runs the whole thing independently. Where is the data being hosted, Europe or US? Wherever the customer cares to keep his data. And so on.

Why both engineers and compliance teams love Cosmo

For internal auditors, Cosmo makes their job very simple as only a few controls need addressing and documenting. This helps to keep the process quite fast and streamlined compared to traditional software compliance audits.

On the engineering side, it ensures that devs can start leveraging Cosmo and GraphQL Federation quickly, without long waiting times for the green light from the compliance team. Usually when organizations look at Cosmo, there’s some pressure to produce tangible results, so this can make all the difference between being able to ship in a few weeks or a few months with traditional software.


If you want to move fast with GraphQL Federation and not run into compliance roadblocks, on-prem Cosmo helps you by avoiding time-consuming due diligence loops because it’s open-source and can run in your own infrastructure.