We are an offensive security company. We hold ourselves to a higher standard than we would ever apply to one of our customers. This page documents how we protect your data, who looks after our controls, and how to verify our claims.
Independent assurance underway. The following programs cover both the KAOS platform and our manual services delivery.
Independent attestation of our security, availability, and confidentiality controls. Audit window opens Q2 2026.
International standard for information security management. Implementation underway with target certification in late 2026.
Article 28 DPA, Standard Contractual Clauses, EEA-resident processing options, and full data subject rights handling.
Esquema Nacional de Seguridad — controls aligned with the Spanish National Security Scheme for engagements with public-sector customers.
The certifications below are held by members of our offensive security team. The people who build the platform are the same people who break into systems for a living.
The controls below mirror the technical and organizational measures committed in our Data Processing Agreement.
TLS 1.2+ for all traffic. AES-256 at rest. Field-level encryption for credentials and integration secrets.
Mandatory MFA for all employees. Least-privilege RBAC with just-in-time elevation. SSO available for enterprise tenants.
Tamper-evident audit logs across the platform. Centralized SIEM. 24x7 alerting on anomalous authentication and access events.
Annual third-party penetration tests, continuous internal red teaming, secure SDLC, vetted personnel with background checks.
EU-resident multi-AZ deployment. Encrypted backups, tested restore procedures, documented disaster recovery plan.
Sub-processors vetted before onboarding, contractually bound by GDPR Article 28 terms, listed transparently in our DPA.
Our default region for new customers is the European Union (Frankfurt). Andorra benefits from a European Commission adequacy decision (2010), so EEA-Andorra transfers are recognised as adequate. EU-only residency, dedicated single-tenant deployment, and customer-managed encryption keys are available on request for enterprise customers.
The current authoritative list of sub-processors lives in our Data Processing Agreement. We give advance notice of changes so you have an opportunity to object on reasonable grounds.
Found something? Read our responsible disclosure policy and email security@kaos.ad. Safe harbor applies to good-faith research.
Machine-readable security contact published at /.well-known/security.txt per RFC 9116.
Architecture diagrams, control matrices, penetration test summaries, and the signed DPA are available to prospective customers under NDA.