What certifications does Cosmo hold?

Cosmo holds a SOC 2 Type II certification. The platform also supports GDPR, HIPAA, and ISO 27001 frameworks through its built-in security controls and deployment options.

Can I get the SOC 2 Type II report?

Yes. The SOC 2 Type II report is available upon request. Contact the WunderGraph team to receive it as part of your vendor due diligence process.

Does request or response data leave my infrastructure?

When you self-host the Cosmo Router, request and response data stays within your environment. Only anonymized operational metadata (performance metrics, schema hashes) is sent to the Control Plane.

What SSO providers are supported?

Cosmo supports SSO via OIDC and SAML, which covers the major enterprise identity providers including Okta, Azure AD, and Google Workspace.

Is this available on all plans?

Full compliance features, including SOC 2 documentation, SSO, and RBAC, require a Pro or Enterprise plan. Self-hosted Router deployment for data isolation is available on Pro and Enterprise.

GraphQL Compliance Certifications | Cosmo by WunderGraph

The problem

Compliance takes time you don't have

Qualifying new infrastructure in regulated industries can take months. Every unvetted vendor is a gap in your audit trail.

Regulated industries face long adoption cycles

Healthcare, finance, and government teams can spend months qualifying a new technology for production. Every new component means more auditor questions and more compliance documentation.

Building compliant GraphQL from scratch is expensive

Security controls, audit logging, RBAC, SSO integration, and the processes to demonstrate them to auditors all require significant engineering investment when built in-house.

Vendor compliance is part of your compliance posture

Your auditors ask about every third-party tool in your stack. A vendor without certifications creates a gap you have to fill with compensating controls and additional documentation.

Our solution

Compliance built into the platform

Cosmo's certifications, security controls, and documentation are already in place. Use them to satisfy your vendor compliance requirements rather than building the same controls from scratch.

What Cosmo provides

Cosmo holds a SOC 2 Type II certification, available as a report upon request for vendor due diligence.
The platform supports GDPR, HIPAA, and ISO 27001 frameworks, enabling deployment in regulated industries.
The Cosmo Router can be self-hosted, keeping all request and response data within your infrastructure. Only anonymized metadata reaches the Control Plane.
Configuration updates are cryptographically validated using HMAC-SHA256 signatures, preventing tampering between the Control Plane and your Router.
Access is controlled through Role-Based Access Control (RBAC) and SSO via OIDC and SAML.
Cosmo carries $5M E&O and Cyber Insurance Coverage.

Certifications in place. Documentation on request.

Compliance certifications

Before & After

Before Cosmo	With Cosmo
Months spent building compliant GraphQL infrastructure in-house	Deploy with enterprise-grade compliance controls from day one
Expensive custom security audits for your own federation solution	Use Cosmo's existing SOC 2 Type II certification to satisfy vendor due diligence
Uncertainty about what data leaves your infrastructure	Self-hosted Router keeps request data local; only anonymized metadata goes to the Control Plane
Complex compliance documentation built from scratch	Compliance reports and security documentation available upon request

Frameworks

Certifications and standards

SOC 2 Type IIReport available upon request for vendor due diligence
GDPRData minimization, IP anonymization, and self-hosted Router deployment
HIPAASelf-hosted infrastructure keeps PHI within your environment
ISO 27001Information security management controls and documentation

How Cosmo meets enterprise security requirements

01

Your infra. Your data.

Self-host

Deploy the Cosmo Router inside your own infrastructure. Request and response data never leaves your environment. Only anonymized operational metadata reaches the Cosmo Control Plane.

02

Config integrity enforced.

Validate

Configuration updates pushed from the Control Plane are signed with HMAC-SHA256. The Router validates the signature before applying any configuration change, preventing tampering.

03

RBAC and SSO built in.

Control access

RBAC limits what each team member can view or change in Cosmo Studio. SSO via OIDC or SAML integrates with your existing identity provider.

04

Audit docs ready on request.

Audit

Request Cosmo's SOC 2 Type II report to document vendor compliance. Built-in IP anonymization and variable exclusion support GDPR data minimization requirements for auditors.

Security controls

Enterprise controls, included

The controls auditors ask about are already built into Cosmo.

SOC 2 Type II certified

Cosmo holds a SOC 2 Type II certification. Request the report to satisfy vendor compliance requirements in your own audit process.

HMAC-SHA256 config signing

Every configuration update from the Control Plane is cryptographically signed. The Router verifies the signature before applying changes.

SSO and RBAC

Connect your identity provider via OIDC or SAML. Role-Based Access Control limits permissions per team member in Cosmo Studio.

Continuous fuzz testing

The Cosmo Router is continuously fuzz tested for security vulnerabilities.

Webhook and URL validation

Webhook payloads are verified with SHA-256 signatures before processing. Subgraph URLs are validated against domain rules to prevent unauthorized routing.

$5M E&O and Cyber Insurance

Enterprise Insurance Coverage provides additional risk mitigation for organizations with strict vendor risk requirements.

Deploy GraphQL federation with compliance documentation ready

Request the SOC 2 Type II report and security documentation for your vendor review.

Talk to Sales Read the Docs

Deploy federated GraphQL in regulated industries from day one