The short version your InfoSec team needs first. Each line is backed by the full Trust Center evidence room. Roadmap items are labelled as roadmap — the claim never exceeds the proof.
| Area | Posture | Status |
|---|---|---|
| Data residency | EU-hosted infrastructure (Fly.io, EU regions) | In place |
| Encryption in transit | TLS 1.2+ on all public endpoints | In place |
| Encryption at rest | Encrypted volumes for persisted data | In place |
| Access control | Least-privilege, secrets in platform vault (not in repo) | In place |
| Logging & audit | Append-only audit log for state-changing actions | In place |
| Incident response | Defined severity levels + contact path | In place |
| GDPR / DPA | DPA available; EU data processing | In place |
| SOC 2 | Controls mapped; formal attestation | Roadmap |
| Penetration test | Independent external test | Roadmap |
Posture reflects current state at time of writing; verify the live control matrix in the Trust Center before relying on any single line.
Data minimisation by design; retention schedule published in the Trust Center; EU processing.
Credentials held in the platform secret store, never committed to source. No secrets in logs or client output.
Changes ship from version control; production is a reproducible deploy from the canonical branch.
Agents run with autonomy disabled, kill-switch enabled, human decision required — separation of real vs. simulation.
Security issues are triaged by severity and acknowledged without undue delay. Report suspected vulnerabilities to security@k0nsult.cloud. Full procedure, severity definitions, and timelines are in the Trust Center.
This is the summary. The evidence lives in the Trust Center — security architecture, GDPR, DPA, control matrix, retention, and incident response in full.