Our own posture, shown as plainly as we ask you to show yours.
Kaldros stores evidence on behalf of regulated institutions. Our own controls must withstand the same scrutiny we help our customers answer. Nothing below is aspirational marketing — only work that is either in place or underway with a dated milestone.
Controls designed and in evidence gathering. Type 2 observation window targeted for Q3 2026. Auditor: disclosed on request.
Stage 1 audit scheduled for Q4 2026. ISMS documented and operational. Certification body disclosed under NDA.
TLS 1.3 with strong cipher suites. HSTS with preload. Certificate pinning available for enterprise ingress.
AES-256-GCM per-workspace envelope encryption. Keys in AWS KMS (default) or customer KMS (BYOK).
AWS KMS, GCP KMS, Azure Key Vault. Key revocation renders ciphertext unrecoverable. We never hold a copy of the DEK or the KEK.
EU (eu-west-1 equivalent) and US (us-east-1 equivalent). Per-workspace. No background cross-region replication without customer action.
SSO (SAML 2.0), SCIM provisioning on Growth+. Role-based access: OWNER / ADMIN / MEMBER / AUDITOR. Session binding to device.
Continuous dependency scanning (GitHub + Trivy). Annual third-party pen test. Critical CVEs patched within 72h.
Background checks, annual security training, hardware-keyed SSO, least-privilege internal access reviewed quarterly.
If you believe you have found a security issue, email security@kaldros.com. We publish a VDP and will respond within two business days. PGP key on request.