Trust Center
The record, before you ask for it
This page pre-answers what security reviews ask — how the platform is built, who touches your data, and what is, and is not yet, on the record.
01Architecture & data flow
How the platform is built
Each line cites the named controls that an in-cluster scanner re-checks continuously — the same checklist our own posture snapshots are graded against.
- Tenant isolation
One platform, hard walls. PostgreSQL row-level security is forced on tenant-owned tables and service roles cannot bypass it; the evidence ledger and object storage are partitioned per tenant; the API rejects cross-tenant reads.
ISOL-001 · ISOL-002 · ISOL-003- Identity
Self-hosted Keycloak, OIDC. Protected endpoints reject missing and invalid tokens, and tokens minted for the wrong audience.
AUTH-001 · AUTH-002 · AUTH-003- Credentials & keys
HashiCorp Vault holds the secrets; workloads carry no static cloud credentials. Tenant data is encrypted with per-tenant envelope keys through Vault Transit, optionally wrapped by a cloud KMS. Evidence-signing keys come from managed secrets.
KEYS-001 — KEYS-005- Service-to-service traffic
Mutual TLS across the Linkerd service mesh, with scoped server authorizations for critical internal services and a ≥95% mesh-coverage target where every exception is time-bounded. TLS 1.3 is enforced at the ingress.
MTLS-001 — MTLS-005 · K8S-006- Policy evaluation
Fail-closed. A checkpoint that cannot be evaluated holds or blocks the action — nothing proceeds on a missing answer.
- Audit & telemetry
Governed decisions are emitted as OpenTelemetry traces and sealed into a tamper-evident, per-tenant evidence ledger (immudb). Database activity is audited with pgAudit.
OTEL · PGAUDIT- Change management
GitOps is the source of truth: cluster state is declared in version control and synced by Argo CD — no manual drift. Security guard checks run in CI, and a runtime verifier re-checks the live cluster.
ARGO CD · CI- Supply chain
Container images are signed with Cosign and pinned by immutable digest, not by mutable tags.
K8S-005 · COSIGN- Workload hardening
No default service accounts, no cluster-admin bindings, hardened container security contexts, resource limits on every container, and no host networking.
K8S-001 — K8S-004 · MTLS-004- Continuous posture
An in-cluster scanner replays a fixed, versioned checklist of these controls. Snapshots retain names, metadata, and hashes — never sensitive values.
02Subprocessors
Who touches your data
Most of the platform is self-hosted in-cluster, so the list is short. Identity (Keycloak), secrets (Vault), the relational store (PostgreSQL), the evidence ledger (immudb), object storage (MinIO), and the service mesh (Linkerd) are operated as part of the deployment itself, under the documented control model — not delegated to third parties. What remains is the browser layer:
| Processor | Purpose | Surface |
|---|---|---|
| Google Analytics 4 | Traffic measurement. Runs in Google consent mode with all storage denied by default. | Website + app UI |
| Plausible Analytics | Aggregate, cookie-less traffic analytics. | Website + app UI |
| Microsoft Clarity | Session diagnostics. Synced to the cookie-consent signal; ad storage always denied. | Website + app UI |
| Apollo.io | Business visitor identification for sales follow-up. | Marketing site |
| Calendly | Pilot and demo scheduling embed. | /book-demo |
All five run in the browser — on the website and the signed-in console. None of them sits inside the governed execution path that evaluates policies, routes approvals, and seals evidence.
03Vulnerability disclosure
How to report a vulnerability
A simple policy, stated plainly. We would rather hear about it from you.
- Where to report
- Email [email protected] with reproduction steps and your assessment of impact.
- Acknowledgment
- We acknowledge reports within five business days and keep you informed while we triage and fix.
- Coordinated disclosure
- We coordinate the timing of any public disclosure with the reporter, and credit good-faith reporters who want it.
- Safe harbor
- We will not pursue legal action over good-faith, non-destructive security research that respects tenant data and service availability.
04Certifications & audits
The honest line
A trust page from a company whose product is evidence cannot afford a single implied claim. So, plainly:
- Certifications held today
- None. We do not hold SOC 2 or ISO/IEC 27001 certification, and nothing on this page should be read as implying that we do.
- What exists instead
- A documented, versioned control model — scanned continuously in-cluster and mapped to internal-control and framework language. See the control mapping.
- Independent assessment
- Planned. We will put the engagement on this page when it is scheduled; no date is on the record yet.
- Standards participation
- KLA is a member of AFNOR's CN IA — France's AI-standardization commission, mirror committee to ISO/IEC SC 42 and CEN-CENELEC JTC 21. This is participation in standards-setting, not a certification.
05Documents on request
The paperwork, on request
What you can pull into a procurement file today.
- Download PDF →
Security whitepaper
Architecture, controls, and deployment models, in print.
- View page →
Control mapping
Runtime controls, human approvals, and execution lineage mapped to internal-control and framework language.
- Request →
Data Processing Agreement
Our DPA, for your procurement file.
- Request →
Execution lineage sample
A sample of the sealed execution-lineage record a governed pilot produces.
06Review pre-answers
What reviews usually ask
The questionnaire rows we can answer before the questionnaire arrives. Anything not listed here is not yet on the record — ask us, and we will say so.
- Encryption in transit
- TLS 1.3 at the ingress; mutual TLS between services across the Linkerd mesh.
- Encryption at rest
- Per-tenant envelope keys through Vault Transit, optionally wrapped by a cloud KMS. Evidence-signing keys are sourced from managed secrets.
- Tenancy model
- Multi-tenant with isolation enforced at three layers: forced PostgreSQL row-level security that service roles cannot bypass, per-tenant partitions in the evidence ledger and object storage, and API-level rejection of cross-tenant reads.
- Identity & access
- OIDC through self-hosted Keycloak; endpoints reject missing, invalid, and wrong-audience tokens. In-cluster: least-privilege service accounts, no cluster-admin bindings, hardened security contexts.
- Secrets management
- HashiCorp Vault. No static cloud credentials in workload environments; Kubernetes secrets sync from Vault via ExternalSecrets.
- Logging & audit
- OpenTelemetry traces for every governed decision; tamper-evident per-tenant evidence storage; pgAudit on the database. Posture snapshots keep names, metadata, and hashes — never sensitive values.
- Change management
- GitOps only. Cluster state is declared in version control and synced by Argo CD; security guards run in CI and a runtime verifier re-checks the live cluster.
- Supply chain
- Cosign-signed container images, pinned by immutable digest.
- Backups
- Scheduled in-cluster backup jobs for the core datastores — PostgreSQL, immudb, ClickHouse, Redis — declared in the same GitOps manifests as the services they protect.
- Data residency
- Residency follows the deployment. The stack is self-contained — datastores, identity, and evidence ledger included — and runs in an EU cloud region, your private cloud, or your data center.
- Penetration testing
- No third-party penetration test report is on the record yet. Automated posture scanning runs continuously against a versioned control checklist; an independent assessment is planned.
- Certifications
- None held today — see the honest line above. The control model and its framework mapping are documented and reviewable now.
- Subprocessors
- Short list, published above. The product runtime is self-hosted; the third parties serve the website and scheduling.
- Vulnerability reports
- [email protected] — acknowledgment, coordinated disclosure, and safe-harbor terms are published above.
Read the record, then test it
The fastest security review is the one that runs on your own workflow.
4 weeks · your workflow · signed evidence you keep