Security built in, not bolted on.
SOC 2 Type II certified. AES-256 at rest, TLS 1.3 in transit. Signed nudge receipts. Differential-privacy peer benchmarks. MFA mandatory for every user.
Certifications & attestations
SOC
SOC 2 Type IIAnnual audit · report on request
ISO
ISO 27001:2022Certification in progress · Q3 2026
EU
GDPRArticle 28 DPA · SCCs 2021
HIP
HIPAABAAs on Enterprise plans
CA
CCPA / CPRACalifornia rights honored globally
PCI
PCI-DSS SAQ-ACard data never touches us
Customers on Enterprise plans can request our latest SOC 2 report under NDA. Email security@kpicons.com.
Security pillars
Identity & access
Zero trust. Every request verified.
Zero-trust architecture. Every request authenticated and authorized at the edge.
- SSO: SAML 2.0 and OIDC with Okta, Microsoft Entra, Google Workspace, OneLogin, JumpCloud, and custom IdPs
- MFA: required for every user (TOTP, WebAuthn, or IdP-managed)
- SCIM 2.0 auto-provisioning and de-provisioning under 15 seconds
- Just-In-Time (JIT) provisioning on first SSO login
- Role-based access control with 4 default personas + custom roles
- IP allow-listing and session timeouts configurable per tenant
Encryption
Encryption by default.
Encryption everywhere. Keys managed, rotated, and audited.
- At rest: AES-256 for all databases, object storage, and backups
- In transit: TLS 1.3 (minimum TLS 1.2); HSTS enforced; no legacy ciphers
- Customer-managed keys (BYOK): available on Enterprise plans via AWS KMS / Azure Key Vault
- Signed nudge receipts: Ed25519 signatures with a 90-day rolling key; every event is independently verifiable
- Secrets management: no plaintext in logs; HashiCorp Vault for internal credentials
Infrastructure
Multi-region. Multi-AZ. Always on.
Multi-region, multi-AZ, auto-scaling, daily tested backups.
- Data residency: choose US-East, US-West, EU-Central, EU-West, or AP-Southeast at provisioning
- Availability SLA: 99.95% monthly for Business, 99.99% for Enterprise
- Backups: point-in-time recovery up to 35 days; quarterly restore drills
- DDoS protection: AWS Shield Standard + Cloudflare
- Disaster recovery: RTO 4h, RPO 15 minutes for Enterprise
Data controls
Tenant isolation. Differential privacy.
Tenant isolation by default. Aggregates use differential privacy.
- Row-level tenant isolation enforced at the database and API layer
- No training on customer data for shared AI models unless explicitly opted in
- Persona preferences stay in-tenant; never exported or reused across customers
- Peer benchmarks use differential privacy (ε=0.5, k-anonymity ≥20)
- Data export / deletion at any time; GDPR-compliant workflows
Application security
Shift left. Test early. Fix fast.
Security lives in the SDLC, not as an afterthought.
- Static analysis (SAST) and dependency scanning on every PR
- Dynamic scanning (DAST) nightly in staging
- Annual third-party pen tests (executive summary available under NDA)
- Bug bounty program via HackerOne — responsible disclosure rewarded
- Security champions on every engineering team; SDLC training mandatory
- OWASP ASVS Level 2 as minimum; Level 3 for payment paths
Monitoring & response
Everything logged. Alerted. Reviewed.
24×7 operations with documented incident response.
- Audit logs: every admin action, API call, data-export event, and role change
- SIEM export via webhook to Splunk, Datadog, Sumo Logic, or your stack
- 24×7 on-call: security team + SRE; incident acknowledgement within 15 minutes
- Incident response plan with customer-notification SLAs (documented in DPA)
- Uptime status page: status.kpicons.com
Responsible disclosure
Found a vulnerability? We appreciate it. Please don't share it publicly before we can respond.
Report to: security@kpicons.com (PGP key: download)
We commit to: acknowledging within 24h, triaging within 3 days, and — for valid findings — issuing a bounty commensurate with severity (up to $10,000 for critical RCE).
Sub-processors
We use a minimal set of trusted vendors. All have signed a Data Processing Agreement with SCCs for EU data.
| Sub-processor | Purpose | Region | Safeguards |
|---|
| Amazon Web Services | Compute, storage, network | US / EU / APAC (customer-chosen) | SOC 2, ISO 27001, DPA + SCCs |
| Cloudflare | CDN, DDoS, WAF | Global edge | SOC 2, ISO 27001, DPA + SCCs |
| Stripe | Payment processing | US | PCI-DSS Level 1, DPA |
| Postmark | Transactional email | US | SOC 2, DPA + SCCs |
| Datadog | Observability | US / EU (region-matched) | SOC 2, ISO 27001, HIPAA |
| Intercom | Customer support chat | US | SOC 2, DPA + SCCs |
| Anthropic / OpenAI | Optional LLM inference (tenant opt-in) | US | SOC 2, DPA + SCCs; zero-retention endpoints |
We notify customers 30 days in advance of any new sub-processor. Objection process in the DPA.
Security by role
For CISOs
Security questionnaires answered within 5 business days. SOC 2 report, pen-test summary, and DPA available under NDA. Dedicated security point-of-contact on Enterprise plans.
For IT Admins
Full audit log UI, SIEM webhook, SSO wizard, break-glass recovery, and signed-receipt verifier ship in the IT Admin Cockpit.
For Legal & Privacy
Pre-signed DPA, SCCs, record-of-processing, and sub-processor list. See GDPR page for the full bundle.
