Kanora
Trust + Security
What you're trusting us with

Kanora is founder-led. This page tells you exactly where our security and compliance posture stands today.

We handle our customers' operating data. That includes job records, customer lists, financial figures, employee schedules, and the SOPs that run the business. The bar for protecting that data is the bar for our entire company.

We are early. We use proven infrastructure where it matters (AWS, Auth0, Cloudflare, Anthropic). We are honest about what is in place, what is in progress, and what is deferred until scale justifies it. No security theater. No claims we can't back up.

01 / Controls

Security overview

The controls below are in production today. Customer data is isolated by tenant, encrypted at rest and in transit, and access is role-based.

Control Detail Status
Encryption at rest AES-256, AWS RDS default. Keys managed in AWS KMS, rotated annually. In place
Encryption in transit TLS 1.3 across all customer-facing endpoints. HSTS enforced. Cloudflare-managed certificates with auto-renewal. In place
Authentication Auth0-managed. Password requirements meet NIST 800-63B. MFA available for all customer accounts; required for admin roles. In place
Access control Role-based access control (RBAC). Strict tenant isolation enforced at the database and application layers. Least-privilege internal access. In place
Audit logging Every customer-facing action and every internal admin action is logged with actor, timestamp, and target. Logs are append-only and retained for 12 months minimum. In place
Backups Daily encrypted snapshots, geo-redundant across two AWS regions. 30-day point-in-time recovery. Quarterly restoration test. In place
Application monitoring Sentry for error tracking. CloudWatch for infrastructure metrics. Customer-impacting incidents trigger pager alerts to the on-call founder. In place
Dependency scanning Automated dependency vulnerability scans on every deploy. Critical CVEs patched within 7 days; high-severity within 30 days. In place
Secrets management No secrets in source. Production secrets in AWS Secrets Manager. Quarterly secret rotation. Pre-commit secret scanning across all repos. In place
Endpoint security Founder workstation is full-disk-encrypted, MDM-managed, with auto-lock and remote wipe. Production infrastructure has no shared workstation access. In place
02 / Compliance

Compliance status

Honest current state. We don't claim certifications we don't have.

Framework Detail Status
SOC 2 Type 1 Target Q3 2026. Drata-managed once $30K MRR justifies the ~$15K/yr program cost. Controls are operating today against the SOC 2 framework; the formal audit is the next milestone. In progress
SOC 2 Type 2 Follows Type 1 by ~6 months once audit period is complete. Planned
HIPAA Not pursued. The trades sector Kanora serves does not require HIPAA. We will not process Protected Health Information. Not applicable
PCI DSS Not applicable. Kanora does not store, process, or transmit cardholder data. Customer payment processing (if any) occurs in third-party processors outside the Kanora environment. Not applicable
GDPR Applicable to any EU-resident customers or data subjects. Data residency is US-only by default; EU-region hosting is available on request at the Architecture engagement tier. Aligned
CCPA / CPRA Applicable to California-resident data subjects. Customer-data deletion and access requests are honored within 30 days. Aligned
ISO 27001 Not currently planned. We will revisit when an enterprise customer requires it. Not planned
03 / Subprocessors

Subprocessors

Every vendor with access to customer data is listed below. Customers receive 30 days written notice before any new subprocessor is added that handles customer data.

Subprocessor Purpose Data handled Region
Amazon Web Services (AWS) Infrastructure hosting (RDS, EC2, S3, KMS, Secrets Manager, CloudWatch) All customer data US-EAST-1, US-WEST-2
Cloudflare DNS, CDN, WAF, TLS termination Request metadata, traffic logs Global edge
Auth0 (Okta) Authentication and identity User email, hashed credentials, MFA factors US
Anthropic LLM inference for Kanora Board agents Customer prompts and context, no training opt-in US
OpenAI Secondary LLM inference, embeddings Customer prompts and context, no training opt-in US
Sentry Application error tracking Stack traces, error metadata (no customer-data payload) US
Drata Compliance automation (when SOC 2 program begins) Control evidence, configuration state US
Google Workspace Internal email, calendar, document storage Customer communications, contracts US

Last updated 2026-05-24. The current subprocessor list is always reflected on this page.

04 / Incident response

Incident response

If something goes wrong, here is exactly what happens.

  • Detection. Automated monitoring (Sentry + CloudWatch) and customer reports to security@kanora.co. Customer-impacting issues page the on-call founder. Initial acknowledgment within 24 hours.
  • Containment + investigation. Within 4 hours of detection, the incident is triaged, scope assessed, and containment actions taken. A timestamped incident record is opened.
  • Customer notification. Affected customers are notified within 72 hours of confirmed security incident, including scope, data involved, and immediate actions required (if any).
  • Resolution. Root cause identified, fix deployed, monitoring confirmed clean.
  • Post-incident report. Written report shared with affected customers within 30 days: root cause, timeline, remediation, and preventive measures.

Reporting an incident. Email security@kanora.co. Use subject line [INCIDENT] for security incidents. Initial acknowledgment within 24 hours.

05 / Data residency

Data residency

US-only by default. All customer data is stored in AWS US-EAST-1 (Virginia) with replication to US-WEST-2 (Oregon) for disaster recovery. No customer data crosses borders by default.

EU region available at Architecture tier. Customers contracting the Architecture engagement tier with EU-resident data subjects can request EU-region hosting (AWS EU-WEST-1, Ireland). This is provisioned per-tenant; standard cross-tenant features are preserved.

06 / Vulnerability disclosure

Vulnerability disclosure

If you find a security vulnerability in any Kanora system, email security@kanora.co. We commit to:

  • Initial acknowledgment within 24 hours of report receipt.
  • Triage and severity classification within 5 business days.
  • Patch deployment within 7 days for critical findings, 30 days for high-severity, 90 days for medium and below.
  • Coordinated disclosure. We ask researchers to allow us 90 days to remediate before public disclosure.

No bug bounty program currently. Kanora is founder-led. A formal bug bounty program will be added when the engineering team scales beyond a single operator. In the interim, we acknowledge responsible disclosures publicly (with researcher permission) on this page.

07 / DPA

Data Processing Agreement

The Kanora Data Processing Agreement governs how Kanora processes customer data as a processor on the customer's behalf. It is incorporated by reference into every Engagement Letter.

Download DPA (PDF)
08 / MSA

Master Services Agreement

The Kanora Engagement Letter is the operative services agreement for each Build. A blank template is available for review before contracting.

Download Engagement Letter template (PDF)
09 / Insurance

Cyber liability insurance

In procurement, target binding by first paying customer. Quotes are in motion with Cowbell, Vouch, and At-Bay (the standard tech-startup cyber carriers).

Coverage target: $1M minimum per-occurrence, including first-party breach response (forensics, notification, credit monitoring) and third-party liability. Policy details and certificate of insurance available on request to security@kanora.co once bound.