Privacy Protocol

Privacy Protocol — Cognition Strategy Group

Document Class: Binding Operational Instrument
Revision Cycle: Bi-Annual Mandatory Review
Governing Authority: Cognition Strategy Group Legal Division

1.1 Data Sovereignty

All data processed, ingested, or otherwise handled under any active Mandate Engagement with Cognition Strategy Group (hereinafter "the Firm") remains the exclusive sovereign property of the originating Client Entity. The Firm asserts no proprietary claim, derived right, residual license, or transferable interest in any Client Data, whether structured, unstructured, embedded, vectorised, or otherwise transformed through computational pipeline operations.

Data Sovereignty is not conditional upon format, medium, or processing state. Vectorised representations, embedding derivatives, latent feature extractions, and intermediate inference artefacts produced from Client Data are legally equivalent to source data under this Protocol and are governed identically.

1.2 Data Classification and Handling Tiers

The Firm operates a four-tier data classification system across all Mandate Engagements:

• TIER-0 (Sovereign): Personally Identifiable Information (PII), Protected Health Information (PHI), financial instruments data, and any data subject to statutory confidentiality obligations. Processed exclusively on-premise or within Client-designated private cloud tenants. Zero data egress to third-party inference APIs.

• TIER-1 (Confidential): Internal business logic, proprietary workflow data, and non-public strategic documentation. Encrypted in transit (TLS 1.3 minimum) and at rest (AES-256). Accessible only to credentialed Mandate personnel.

• TIER-2 (Restricted): Operational telemetry, system performance logs, and anonymised aggregate metrics. May traverse private cloud infrastructure subject to written Client authorisation.

• TIER-3 (Internal): Non-sensitive operational data generated by the Firm's own systems. Not subject to Client Data sovereignty provisions.

1.3 Cryptographic Assertions and Integrity Verification

All data transmission events occurring across Mandate infrastructure are subject to cryptographic integrity verification. The Firm employs HMAC-SHA256 assertion chains on all pipeline ingestion events, ensuring that data provenance, chain of custody, and transformation history are cryptographically auditable upon demand.

Clients retain the right to request a full cryptographic audit trail for any data processing event occurring within their Mandate deployment for a period of twenty-four (24) months following Mandate conclusion.

1.4 Zero-Trust Data Access Architecture

The Firm operates exclusively under a Zero-Trust access architecture across all Mandate environments. No principal — internal, external, human, or automated — is granted implicit trust at any network layer. All access events are:

• Authenticated via multi-factor cryptographic assertion

• Authorised against the principle of least privilege

• Logged immutably to a tamper-evident audit ledger

• Reviewed programmatically via anomaly detection pipelines

Access tokens carry a maximum TTL of 900 seconds. No persistent access credentials are issued to any automated system component without Client written consent.

1.5 Third-Party Sub-Processor Disclosure

The Firm maintains a current and binding Sub-Processor Registry, available to active Clients upon written request. No Client Data is transferred to any Sub-Processor not listed in the current Registry. Sub-Processors are contractually bound to data handling standards equivalent to or exceeding the standards set forth in this Protocol.

1.6 Data Retention and Destruction

Unless otherwise specified in the governing Mandate Agreement, all Client Data is purged from Firm-controlled infrastructure within thirty (30) calendar days of Mandate conclusion. Destruction is performed via cryptographic erasure (key destruction rendering data computationally irrecoverable) supplemented by physical media overwrite where applicable. A signed Certificate of Destruction is issued to the Client upon completion.

1.7 Regulatory Compliance

This Protocol is designed to satisfy the substantive requirements of GDPR (EU 2016/679), CCPA, HIPAA (where applicable to PHI), and SOC 2 Type II. Clients operating under jurisdiction-specific regulatory frameworks should disclose applicable obligations prior to Mandate commencement to enable protocol augmentation as required.