TRUST & SECURITY

Security at KAOS

We are an offensive security company. We hold ourselves to a higher standard than we would ever apply to one of our customers. This page documents how we protect your data, who looks after our controls, and how to verify our claims.

Certifications & Attestations

Independent assurance underway. The following programs cover both the KAOS platform and our manual services delivery.

In Progress 2026

SOC 2 Type II

Independent attestation of our security, availability, and confidentiality controls. Audit window opens Q2 2026.

Planned 2026

ISO/IEC 27001

International standard for information security management. Implementation underway with target certification in late 2026.

Active

GDPR-aligned

Article 28 DPA, Standard Contractual Clauses, EEA-resident processing options, and full data subject rights handling.

Aligned

ENS (Spain)

Esquema Nacional de Seguridad — controls aligned with the Spanish National Security Scheme for engagements with public-sector customers.

Practitioner Credentials

The certifications below are held by members of our offensive security team. The people who build the platform are the same people who break into systems for a living.

OSCP
OSCE3
OSWE
OSEP
CRTO
CRTL
CREST CRT
eWPTX
BSCP

Technical & Organizational Measures

The controls below mirror the technical and organizational measures committed in our Data Processing Agreement.

Encryption

TLS 1.2+ for all traffic. AES-256 at rest. Field-level encryption for credentials and integration secrets.

Access Control

Mandatory MFA for all employees. Least-privilege RBAC with just-in-time elevation. SSO available for enterprise tenants.

Audit Logging

Tamper-evident audit logs across the platform. Centralized SIEM. 24x7 alerting on anomalous authentication and access events.

Operational Security

Annual third-party penetration tests, continuous internal red teaming, secure SDLC, vetted personnel with background checks.

Resilience

EU-resident multi-AZ deployment. Encrypted backups, tested restore procedures, documented disaster recovery plan.

Vendor Management

Sub-processors vetted before onboarding, contractually bound by GDPR Article 28 terms, listed transparently in our DPA.

Data Residency

Our default region for new customers is the European Union (Frankfurt). Andorra benefits from a European Commission adequacy decision (2010), so EEA-Andorra transfers are recognised as adequate. EU-only residency, dedicated single-tenant deployment, and customer-managed encryption keys are available on request for enterprise customers.

Sub-processors

The current authoritative list of sub-processors lives in our Data Processing Agreement. We give advance notice of changes so you have an opportunity to object on reasonable grounds.

Responsible Disclosure

Found something? Read our responsible disclosure policy and email security@kaos.ad. Safe harbor applies to good-faith research.

security.txt

Machine-readable security contact published at /.well-known/security.txt per RFC 9116.

Need our security packet?

Architecture diagrams, control matrices, penetration test summaries, and the signed DPA are available to prospective customers under NDA.