Security & Data Governance

CohortLayer validates hypotheses against large, managed-access human cohorts — population-scale datasets that are governed by strict access and usage agreements. Managed-access cohorts are not open databases; they are secure research environments where individual records are protected by governance frameworks, ethics approvals, and legal agreements. CohortLayer operates within those frameworks. The cohorts we work with include large-scale population genetics resources maintained under institutional governance in the UK, US, and EU.

The analysis runs inside each cohort's secure compute environment. We bring the query to the data — not the data to the query. No individual records are exported, downloaded, or transferred at any point in the process. Only aggregate statistical outputs (effect sizes, carrier counts, replication status, phenotype signals) leave the cohort environment, and only to the requesting organisation.

We receive only what is needed to define the analysis: a target, a variant, or a gene–disease hypothesis — described in general scientific terms. We do not receive, request, or store any patient data, clinical records, proprietary compound structures, or internal trial data. The hypothesis stays at the level needed to run the analysis, and no more.

All hypotheses and results are treated as confidential. We do not share them with other clients, partners, or third parties. We do not use client hypotheses to train models or derive generalised insights that could be attributed to a specific client. Results are returned only to the requesting organisation.

We retain the minimum data necessary to deliver the service and maintain records of what was analysed and when. We do not retain raw cohort outputs beyond the delivery of results. Contact details collected via the request form are retained only as long as necessary to manage the client relationship, consistent with our Privacy notice.

CohortLayer is operated by Hemlex, based in Tallinn, Estonia — within the European Union. Our processing of contact data follows GDPR principles: lawful basis, data minimisation, purpose limitation, and data subject rights. We do not transfer personal data outside the EU/EEA. Genetic data processed as part of the analytics service is handled within the cohort's own governance framework and does not constitute personal data processing by CohortLayer.

The CohortLayer web service is built on server-side rendered infrastructure with no client-side data persistence. Form submissions are transmitted over HTTPS, validated server-side, and delivered via encrypted channel. We apply standard security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy). No cookies are set. No third-party advertising or tracking scripts are loaded.

Each cohort operates under its own governance framework, ethics approval, and data access agreements — managed by the cohort itself, not by CohortLayer. CohortLayer's access to each cohort is conditional on compliance with those frameworks. We do not override, circumvent, or negotiate around cohort governance requirements.

CohortLayer is a research analytics service, not a data processor in the GDPR Article 4(8) sense — we do not process personal data on behalf of clients. The genetic data analysed is held and governed by the cohorts themselves. We are happy to answer specific questions from procurement, legal, or compliance teams. Contact hello@cohortlayer.com.

Security and data governance questions: hello@cohortlayer.com

Operated by: Hemlex, Tallinn, Estonia.