SOC 2 Type II
Audited annually by a Big Four firm. Report available on request under NDA.
Security
Trust isn't a tagline. It's a posture.
Authentication is the most consequential dependency in your stack. We're not asking you to take that on faith — here's what we actually do.
Certifications
The paperwork.
ISO 27001
Certified by an accredited body. Surveillance audits every 12 months.
GDPR & UK DPA
Standard Contractual Clauses and EU data residency by default for EU customers.
HIPAA
BAA available on Team and Enterprise plans for covered entities.
Posture
The substance.
Zero-knowledge architecture for secrets
Customer signing keys are encrypted at rest with envelope encryption. We cannot decrypt them; the KMS holds the unwrapping keys behind hardware HSMs.
Defense in depth, not a single line
Network isolation, WAF, per-endpoint rate limiting, anomaly detection, and audited admin paths. Any one layer failing does not give an attacker your data.
No long-lived credentials in production
All inter-service auth uses short-lived workload identities. No static API tokens stored in environment variables anywhere in our infrastructure.
Continuous external testing
Public bounty program plus annual third-party penetration tests. Findings are remediated under tracked SLAs.
Disclosure
Found something?
We run a public security disclosure program. Send a detailed report to security@klauthed.com — PGP keys and severity SLAs are documented at /security/disclosure.