How we build
Built once. Deployed across every vertical. Compliance, governance, and infrastructure that every COSX agent inherits on day one.
Architecture
How a request flows through the COSX platform. From client input to auditable output.
Every COSX agent follows the same path. A client request enters at the top, passes through the governance layer for compliance checks and audit logging, then reaches the shared infrastructure that encrypts, stores, and delivers the response.
This architecture means every new agent launched on the platform inherits enterprise-grade security, billing, data residency, and compliance on day one. No per-product integration work. No gaps.
Infrastructure
The shared services that every agent runs on.
Identity & access
Enterprise SSO with SAML and OIDC. Role-based access control across every agent. Session management, MFA enforcement, and audit-logged authentication events. Your identity provider stays the source of truth.
$ cosx iam status┌─────────────────────────────────────┐│ SSO Provider Azure AD ✓ live ││ MFA Enforced All users ✓ ││ Active Sessions 142 ││ RBAC Policies 12 active │└─────────────────────────────────────┘Last auth event: 2m agoSession token rotation: 15 min✓ All identity checks passing
$ cosx billing summary --period=mar-2026┌──────────────────────────────────────┐│ Agent Calls Cost ││ ───── ───── ──── ││ XENI 12,847 £2,140.20 ││ Robolab X 8,203 £684.10 ││ Metaroom 3,419 £512.85 │├──────────────────────────────────────┤│ Total £3,337.15 │└──────────────────────────────────────┘✓ Budget alert: 68% of monthly limit
$ cosx data residency --show┌─────────────────────────────────────┐│ Primary Region eu-west-2 (UK) ││ Replication eu-west-1 (IR) ││ Encryption AES-256-GCM ││ Key Management Customer-managed ││ Data Transfer Restricted │└─────────────────────────────────────┘✓ No cross-border transfers detected✓ Encryption keys rotated: 6 days ago✓ Compliance: UK GDPR aligned
Governance
How every AI decision gets tracked, checked, and approved.
Input received
Client uploads passport, bank statements, and supporting documents. The system timestamps every file on arrival, hashes its contents for tamper detection, and creates an immutable intake record. From this point forward, nothing can be altered without a logged override.
Agent processes
XENI reads every uploaded document, extracts structured data, and cross-references fields across sources. It confirms identity details match between the passport and bank statements, then flags a six-month employment gap for further review.
Compliance gate
The case is evaluated against five automated compliance checkpoints before it can proceed. Identity, document completeness, sanctions, and PEP screening all pass. The employment continuity check triggers an amber flag, routing the case to a qualified human reviewer.
Human review
The flagged employment gap is routed to a qualified immigration solicitor. They review the supporting employer letter, confirm the gap is explained by parental leave, and approve the case. Every annotation and decision is timestamped and attributed to the reviewer.
Audit report
The completed application is submitted with a full audit trail attached. Every extraction, flag, human decision, and approval is recorded with timestamps and attribution. The trail is cryptographically signed, immutable, and exportable for regulatory review.
"Gap explained by parental leave — Mar to Sep 2024. Employer letter confirms return to same role. No further action required."
Audit trails
Every decision, extraction, and human override is logged with timestamps and attribution. Trails are immutable and exportable for regulatory review.
Human oversight
AI handles volume. Humans handle judgment. Every flagged item routes to a qualified reviewer before it leaves the system.
Compliance gates
Automated checkpoints enforce regulatory requirements at each stage. Cases cannot progress until all checks pass or are explicitly overridden by an authorised reviewer.
Security
Certifications, practices, and commitments.
Cyber Essentials
CertifiedUK government-backed scheme covering firewalls, secure configuration, access control, malware protection, and patch management.
GDPR
AlignedData processing, storage, and transfer practices aligned to UK and EU General Data Protection Regulation requirements.
ISO 27001
AlignedInformation security management system practices aligned to the ISO 27001 standard.
SOC 2 Type II
AlignedSecurity, availability, and confidentiality controls aligned to AICPA SOC 2 Trust Services Criteria.
Data encryption
AES-256-GCM at rest. TLS 1.3 in transit. Customer-managed keys available for enterprise deployments.
Tenant isolation
Logical and network-level isolation between tenants. No shared compute, no shared storage, no cross-tenant data access.
Access control
Role-based access with least-privilege defaults. SSO integration. MFA enforced for all administrative access.
Incident response
Documented incident response plan with defined escalation paths. 24-hour notification commitment for security events.
Infrastructure
Hosted on ISO 27001-certified cloud infrastructure. Redundant across availability zones with automated failover.
Vulnerability disclosure
Responsible disclosure policy. Security researchers can report vulnerabilities through our coordinated disclosure process.
The COSX founding team has built and operated regulated technology platforms across financial services, legal, and education. Security is not a feature. It is a prerequisite for every product we ship.
Build with us
We work with firms in regulated industries that need AI they can trust. Whether you want to deploy one of our agents or build something new on the COSX platform, let's talk.