Security Statement

Security is at the core of everything we do. As a security awareness company, we hold ourselves to the highest standards. This document outlines our security practices and commitments.

Certifications & Compliance

SOC 2 Type II

Independently audited for security, availability, and confidentiality controls. Report available upon request under NDA.

ISO 27001

Certified information security management system covering all aspects of our operations.

GDPR

Full compliance with EU General Data Protection Regulation including data processing agreements.

CSA STAR

Cloud Security Alliance STAR registered for cloud security best practices.

Infrastructure Security

Cloud Hosting

Hosted on AWS with data centers in EU (Frankfurt) and US (Virginia)
Multi-availability zone deployment for high availability
AWS Well-Architected Framework compliance
Regular infrastructure security assessments

Network Security

Web Application Firewall (WAF) protection
DDoS protection via AWS Shield
Network segmentation and private subnets
Intrusion detection and prevention systems
24/7 security monitoring and alerting

Data Protection

Encryption

In Transit: TLS 1.3 for all communications. HSTS enabled. A+ SSL Labs rating.
At Rest: AES-256 encryption for all stored data including backups.
Key Management: AWS KMS for encryption key management with automatic rotation.

Data Isolation

Logical tenant isolation at the database level
Customer data never co-mingled between organizations
Dedicated encryption keys per customer (Enterprise)

Backups

Automated daily backups with 30-day retention
Point-in-time recovery capability
Geographically redundant backup storage
Regular backup restoration testing

Application Security

Secure Development

Secure SDLC with security reviews at every stage
Mandatory code review for all changes
Automated static code analysis (SAST)
Dependency scanning for known vulnerabilities
OWASP Top 10 protections built-in

Security Testing

Annual third-party penetration testing
Continuous automated vulnerability scanning
Bug bounty program for responsible disclosure
Regular red team exercises

Access Control

Customer Access

Role-based access control (RBAC) with granular permissions
SSO integration (SAML 2.0, OIDC)
Multi-factor authentication support
Session timeout and IP-based access restrictions
Complete audit trail of all user actions

Kinan Employee Access

Principle of least privilege for all staff
Background checks for all employees
MFA required for all internal systems
Privileged access management (PAM) for production
Quarterly access reviews

Incident Response

Documented incident response plan tested annually
24/7 on-call security team
Customer notification within 72 hours for security incidents
Post-incident reviews and continuous improvement

Business Continuity

99.9% uptime SLA for Enterprise customers
Multi-region failover capability
Recovery Time Objective (RTO): 4 hours
Recovery Point Objective (RPO): 1 hour
Annual disaster recovery testing

Vendor Management

We carefully vet all third-party vendors:

Security assessments before onboarding
SOC 2 or equivalent certification required
Data Processing Agreements in place
Annual vendor security reviews

Security Documentation

The following documents are available upon request:

check_circle SOC 2 Type II Report (under NDA)
check_circle ISO 27001 Certificate
check_circle Penetration Test Executive Summary
check_circle Data Processing Agreement (DPA)
check_circle Security Questionnaire (SIG, CAIQ)

Reporting Security Issues

We take security reports seriously. If you discover a security vulnerability:

Email: security@kinan.app

PGP Key: Available on request

Please include detailed steps to reproduce the issue. We aim to acknowledge reports within 24 hours and will keep you informed of our progress.

Contact

For security-related inquiries:

Security Team: security@kinan.app

Compliance: compliance@kinan.app