Security posture for review teams.

What's deployed, what's in audit, what's on the honest roadmap. For the architecture and the defense-in-depth model, see reference architecture. This page answers the questions a security review team asks: threat model, encryption detail, certifications, incident response, data lifecycle, disclosure.

Start a free trialSecurity contact
Threat model

What we defend against

The threat model focuses on multi-tenant SaaS and customer-environment edge agents. Mitigations are layered so a single bypass is bounded by the layer below it.

Cross-tenant data access

Mitigated by row-level security on every tenant table. Elevated service access does not appear in customer-facing API paths. Even if an API handler omits org_id filtering, the database refuses to return cross-tenant rows.

Stolen or replayed credentials

Mitigated by short-lived JWTs with org and scope claims, configurable MFA, SAML SSO with idP-managed session policies, and rate limiting on every API token. Service accounts get scoped API keys with explicit grants.

Tampering with audit records

Mitigated by a content-hashed, cryptographically signed audit chain per tenant. Any modification to a past entry breaks the chain at that record. External auditors verify signatures independently of KoraSafe.

Sensitive content leaving the customer environment

Mitigated by the hybrid edge-agent deployment. Inline PII detection and redaction happen locally; only governance signals (decisions, redacted findings, audit events) cross the boundary. Customer policy decides what is transmitted.

Supply-chain compromise

Mitigated by signed releases, SBOM generation per artifact, dependency review on every PR, and quarterly third-party security review of the release pipeline. SBOMs available to customers on request.

Insider misuse of the platform

Mitigated by least-privilege role assignments inside KoraSafe, mandatory two-person review on sensitive code paths, and customer-facing audit logs that surface every administrative action.

Encryption

In transit, at rest, and over the audit chain

Specific cipher choices, key custody, and rotation cadence. For the layered defense model, see reference architecture.

Control Detail Status
TLS in transit TLS 1.2 minimum on all client-to-API and API-to-database traffic. TLS 1.3 preferred where the client supports it. HSTS enabled on the marketing and dashboard origins. Certificate management automated; rotation on a maximum 90-day cycle.
mTLS for the edge agent Mutual TLS between the customer-deployed edge agent and the platform for the hybrid and air-gap shapes. Certificates provisioned via a signed install bundle; rotation on customer demand. Designed; ships alongside the edge-agent general availability.
Encryption at rest AES-256 disk encryption on the database. Backup snapshots inherit the same baseline. Object-store payloads carry per-tenant content keys. Key custody on the platform side today.
BYOK / customer-managed keys Customer key custody via KMS for tenant-scoped data and evidence packages. Designed; in implementation for enterprise tenants. Key wrap and rotation policies inherited from the customer's KMS configuration.
Audit-chain signing JWS signatures on every audit-chain entry. Content hashes chained to the previous entry. Verification independent of KoraSafe; auditors verify against published public keys.
Webhook signing Cryptographically signed outbound webhook payloads. Customers verify the signature header before processing.
Secret storage Per-environment secrets stored in managed secret stores. No secrets in code or build artifacts. Access scoped per service identity. Quarterly secret-rotation review.
Certifications and audits

Status, scope, and what's in flight

Current standing against the audits and frameworks security review teams ask about. Reports available under NDA where applicable; request via the security contact.

Framework Scope Status
SOC 2 Type I AICPA Trust Services Criteria (Security, Confidentiality, Availability). Control mappings, incident response policies, evidence collection, and access reviews in place. Independent auditor engaged.
SOC 2 Type II Operating-effectiveness review across a 6-month window. Follows once Type I issues. Same scope as Type I.
ISO 27001 Information security management system. Scoped for the platform plus the edge-agent release pipeline.
NIST AI RMF Self-attested alignment with Govern, Map, Measure, Manage functions. KoraSafe is itself the platform many customers use to evidence NIST AI RMF compliance for their AI systems.
HIPAA BAA Business Associate Agreement available for healthcare tenants. PHI handling scoped to the customer's tenant; no cross-tenant PHI access on the platform side.
GDPR + UK GDPR Data Processing Agreement and Standard Contractual Clauses available. EU region available for tenants with residency requirements; UK transfer mechanism documented.
EU AI Act Article 14 Human-oversight controls (Authority Limiter, Approver Queue, Escalation Router) align with Article 14 requirements. Used by customers to evidence high-risk AI system compliance during EU conformity assessments.
Incident response

How incidents get handled

Operational commitments for security incidents and platform outages. On-call coverage runs around the clock; engineers carry pager rotations with cross-region failover.

Detection and triage

Continuous monitoring across the platform and edge fleet. Anomaly detection on auth, API, and audit-chain signals. Suspected security incidents triaged within one business day; confirmed incidents move to active response within two hours.

Customer notification

Tenants affected by a confirmed security incident receive direct notification within 72 hours, with details on impact, mitigation steps, and remediation timeline. Public disclosure follows on the status page once active mitigation completes.

Recovery objectives

RTO of 4 hours for the platform and 1 hour for the audit chain. RPO of 15 minutes for tenant data. Backups stored across multiple regions; quarterly restore drills validate the recovery path.

Postmortems

Every T3+ incident receives a blameless postmortem within five business days. Action items land in a tracked queue with owners and due dates. Design partners receive the full postmortem; the public-facing summary lands on the status page.

Vulnerability disclosure

Reporting a vulnerability

Security researchers and customer security teams are encouraged to report suspected vulnerabilities through the security contact below. KoraSafe practices coordinated disclosure: researchers acknowledged publicly with consent, no legal action for good-faith research conducted in scope.

Step Detail Target
Initial response Acknowledgement that the report was received and is being triaged. Routed to the on-call security responder. One business day
Triage outcome Severity classification (Critical / High / Medium / Low / Informational), reproduction confirmed, fix path scoped. Three business days
Fix shipped Critical: within 14 days. High: within 30 days. Medium: within 60 days. Low and informational: tracked in the public backlog. Per severity
Public disclosure Coordinated with the reporter. Default: disclosure once a fix is shipped and customers have had a reasonable upgrade window for the edge-agent shape. Reporter acknowledged in the changelog with consent. After fix

Out of scope: theoretical attacks without proof of concept, denial-of-service against the public origin, third-party dependencies (route those upstream). Report at Contact-us@korasafe.ai; encrypt with the published PGP key in the response email if the report contains exploitation detail.

Data lifecycle

Retention, deletion, export

What data persists, for how long, and how customers control it. The Data Processing Agreement codifies these commitments contractually.

Class Default retention Customer control
Findings and audit-chain entries Retained for the active subscription term plus seven years to satisfy regulatory evidence requirements. Customer-configurable for shorter retention where regulator permits. Per-tenant policy
Evidence packages Retained while referenced by an active audit or for seven years after generation, whichever is longer. Cold-storage tier after one year of inactivity. Per-pack TTL
Telemetry and signals 90 days for raw activity data; aggregated metrics retained for trend analysis. Customer policy determines what activity data is transmitted from edge agents in the first place. Edge agent policy
Account and configuration Retained for the subscription term. On termination, 30-day grace window for export, then purged. Backup copies expire within 90 days of purge. Export on request
Source documents and probe transcripts Retained while referenced by an active obligation, control, or evidence record. Tenant-scoped, signed-URL retrieval only. Per-document TTL

For full export, deletion, and DPA terms, see the Data Processing Agreement. Privacy policy lives at korasafe.ai/privacy.

Supply chain

Sub-processors and SBOM

Third parties that process customer data on behalf of KoraSafe are listed in the sub-processor schedule attached to the DPA. Software bills-of-materials are generated per release and available to customers on request.

Sub-processor schedule

Maintained as a section of the DPA. Customers receive notification before a new sub-processor is added. The current schedule is shared on request through the security contact.

SBOM availability

Per-release software bills-of-materials cover the platform, the edge agent, and the published extensions and SDKs. Signed bundles available for the air-gap shape.

Third-party security review

Independent penetration test on the platform and edge agent on a regular cadence aligned to the SOC 2 audit window. Findings remediated against the same severity SLA as researcher reports. Executive summaries available under NDA.

Dependency review

Every PR runs license, vulnerability, and signed-commit checks against the dependency graph. Critical CVEs in supported dependencies trigger upgrade work within the standard fix SLA.

SR 11-7 framing

What our SR 11-7 alignment actually means

KoraSafe surfaces SR 11-7 evidence through the financial-services sector pack and the audit-package endpoint. The fin-us pack assembles vendor attestations, model approval records, fairness findings, and adverse-action evidence against SR 11-7 citation patterns alongside NAIC Model Bulletin and ECOA evidence. We do not claim end-to-end SR 11-7 model risk management coverage on our own; we provide the evidence layer that bank model risk teams use to demonstrate controls during regulatory exams.

Sector pack

fin-us bundles SR 11-7 + NAIC + ECOA

Audit pack

regulator-readable PDF on demand

Citation rendering

SR 11-7 patterns honored

View architectureView integrations