Security & Compliance

SOC 2 Type I report

In progress — pre-audit readiness phase. Target: Q4 2026.

SOC 2 Type II report

Planned — following Type I + 6 month observation window.

ISO 27001 alignment

Controls mapped against ISO 27001:2022 Annex A; certification not yet pursued.

GDPR (Article 28 processor obligations)

Standard DPA with SCCs available; subprocessor list published.

CCPA / CPRA

Subject-request handling and "do-not-sell" obligations honored; service-provider role disclosed in privacy policy.

Encryption in transit

TLS 1.2+ on all external endpoints; HSTS enforced.

Encryption at rest

AES-256 on managed Postgres (Supabase); managed key rotation.

Backup encryption

Encrypted point-in-time backups with rolling 35-day retention; secure deletion.

Key management

Application-layer secrets in Vercel managed env; database keys managed by cloud provider HSM.

Least-privilege access

Production access scoped by role; permissions reviewed quarterly.

Multi-factor authentication

Required for all employee accounts to platform infrastructure.

SSO for customers

SAML 2.0 / OIDC available on enterprise plans.

Row-level authorization

Postgres RLS policies on every table containing Customer data.

Audit logging

Centralized logs for administrative and access events with tamper-resistant retention.

Breach-notification SLA

Customer notification within 72 hours of confirmed Personal Data Breach.

Documented IR runbook

Internal incident-response playbook with on-call rotation.

Tabletop exercises

Conducted semi-annually as part of SOC 2 readiness.

Dependency monitoring

Automated dependency scanning on every commit and on a daily cadence.

Vulnerability scanning

Continuous SAST/DAST on the application; container/runtime scanning on infrastructure.

Penetration testing

Annual third-party pentest planned alongside SOC 2 Type I.

Responsible-disclosure channel

Security reports accepted at security@kontaim.com; acknowledgment within 1 business day.

Access / portability

Customer data exportable via the dashboard; programmatic export available on request.

Rectification / deletion

Self-serve deletion within the product; bulk requests processed within 72 hours.

Subprocessor change notification

Material additions notified at least 30 days in advance.

Recovery point objective (RPO)

≤ 24 hours (point-in-time recovery on managed Postgres).

Recovery time objective (RTO)

≤ 4 hours for critical production restoration.

Disaster-recovery testing

Annual DR rehearsal as part of SOC 2 readiness.

No model training on Customer Content

Enterprise AI provider agreements forbid retention of Customer inputs for model training.

AI output review

Customer is responsible for reviewing AI-generated content before publishing to Participants.

Content moderation

AI screening pass on publish; flagged content is held for Customer review.