Technical and organisational measures

This document lists the technical and organisational measures Kaldros maintains. A fuller write-up of our posture, with rationale, lives at /security.

Encryption

• TLS 1.3 in transit with HSTS and preload.
• AES-256-GCM at rest, per-workspace envelope encryption.
• Key custody in AWS KMS by default; customer KMS via BYOK.

Access controls

• SSO (SAML 2.0) and SCIM provisioning on Growth+.
• Role-based access: OWNER / ADMIN / MEMBER / AUDITOR.
• Employee access reviewed quarterly; hardware-key-backed SSO required.

Availability and resilience

• Multi-AZ Postgres. Point-in-time recovery. Daily off-site encrypted backups.
• Documented RPO: 15 min. RTO: 4h for Starter/Growth, 1h for Enterprise.

Software assurance

• Code review required on every change. Automated secret scanning on every commit.
• Continuous dependency scanning. Critical CVEs patched within 72h.
• Annual third-party penetration test; reports under NDA.

Incident response

• 24×7 on-call rotation. Severity-1 acknowledgement within 15 minutes.
• Breach notification within 48h.