← Back to Docs
Security Whitepaper

Security Architecture

A governance-first approach to AI agent security. This document details K0nsult's infrastructure, application, data protection, and agent security controls for enterprise decision-makers.

Document version 1.0 — Last updated: March 2026 — Classification: Public

Contents

  1. Executive Summary
  2. Infrastructure Security
  3. Application Security
  4. Data Protection
  5. Agent Security
  6. Compliance Alignment
  7. Incident Response
  8. Vulnerability Management
01

Executive Summary

K0nsult operates a governance-first AI agent management platform. Security is not an afterthought or an add-on -- it is embedded into every layer of our architecture, from infrastructure provisioning to agent behavior control.

Our security posture is designed to meet the expectations of enterprise CPOs, CISOs, and Security Officers who need verifiable controls before approving vendor relationships. This document provides a transparent overview of our security architecture, the controls we enforce, and the compliance frameworks we align with.

Infrastructure

EU-Based Hosting

All services run on SOC2-compliant infrastructure in Frankfurt, EU. Data never leaves the European Economic Area.

Application

Defense in Depth

Multi-layer security: JWT authentication, role-based access, rate limiting, input validation, and hardened HTTP headers.

Data

Minimal Collection

No third-party tracking. No Google Analytics. No Facebook Pixel. We collect only what is necessary to deliver the service.

Agents

Mandate-Bound

Every agent operates within defined authority boundaries. Human override is available at every level. Full audit trail for all actions.

02

Infrastructure Security

Our infrastructure is designed for security, reliability, and regulatory compliance. All components run within the European Union.

Hosting Environment

  • Provider: Fly.io -- SOC 2 Type II compliant infrastructure
  • Region: Frankfurt, Germany (EU) -- data residency guaranteed within EEA
  • Isolation: Dedicated application instances with private networking between services
  • Redundancy: Automated health checks and instance restart on failure

Database

  • Engine: PostgreSQL (managed by Fly.io)
  • Encryption at rest: AES-256 encryption on all database volumes
  • Backups: Automated daily backups with point-in-time recovery
  • Access: Internal network only -- no public database endpoints

Transport Security

  • Protocol: HTTPS enforced on all endpoints -- HTTP requests are redirected
  • TLS Version: TLS 1.3 (minimum TLS 1.2)
  • Certificate Management: Automated certificate provisioning and renewal
  • Internal Traffic: Encrypted via Fly.io private networking (WireGuard)

Network Architecture

  • Private networking between application and database services
  • No direct database access from the public internet
  • Egress restricted to required external services only
  • DNS-based service discovery within the private network
03

Application Security

Application-level security follows defense-in-depth principles. Multiple independent controls ensure that a failure in one layer does not compromise the system.

Authentication

  • Primary: JSON Web Tokens (JWT) with configurable expiration
  • API Access: API key authentication via x-konsult-secret header
  • Token Storage: Tokens are never stored in localStorage -- httpOnly cookies for web clients
  • Session Management: Server-side session validation with automatic expiry

Authorization

  • Model: Role-Based Access Control (RBAC)
  • Roles: admin, read, agent
  • Principle: Least privilege -- each role has only the permissions required for its function
  • Enforcement: Middleware-level authorization checks on every route

Rate Limiting

Three-tier rate limiting protects against abuse and denial-of-service attempts.

Tier Scope Limit Window
General All API endpoints 100 requests 15 minutes
Authentication Login, token refresh 10 requests 15 minutes
Write Operations POST, PUT, DELETE 30 requests 15 minutes

Input Validation

  • Sanitization: All user input processed through cleanText() utility before any processing
  • SQL Injection Prevention: Parameterized queries on all database operations -- no string concatenation
  • XSS Prevention: Output encoding and Content Security Policy headers
  • Request Size: Maximum request body size enforced

Security Headers

All responses include hardened security headers via Helmet.js middleware.

  • Content-Security-Policy (CSP): Restricts resource loading to trusted origins
  • Strict-Transport-Security (HSTS): Forces HTTPS for all subsequent requests
  • X-Frame-Options: Prevents clickjacking by disallowing iframe embedding
  • X-Content-Type-Options: Prevents MIME-type sniffing
  • Referrer-Policy: Controls information sent in the Referer header
  • Permissions-Policy: Restricts browser feature access (camera, microphone, geolocation)

CORS Configuration

  • Cross-Origin Resource Sharing configured per environment
  • Production: restricted to known K0nsult domains only
  • Credentials: controlled via Access-Control-Allow-Credentials
  • Preflight caching enabled to reduce OPTIONS request overhead
04

Data Protection

K0nsult follows a minimal data collection principle. We collect only what is necessary to deliver the contracted service, and we do not monetize client data in any way.

At Rest

Encryption at Rest

All PostgreSQL data is encrypted at rest using AES-256 encryption, managed by Fly.io infrastructure. Encryption keys are rotated according to provider policy.

In Transit

Encryption in Transit

All data in transit is protected by TLS 1.3. Internal service-to-service communication uses WireGuard-encrypted private networking.

Residency

EU Data Residency

All data is stored and processed within the European Union (Frankfurt, Germany). Data does not leave the EEA under any circumstances.

Privacy

No Third-Party Tracking

No Google Analytics. No Facebook Pixel. No third-party tracking scripts. We do not share, sell, or monetize client data.

Data Retention Policy

  • Contact and engagement data: Retained for 24 months from last interaction
  • Analytics and usage data: Retained for 12 months, then anonymized or deleted
  • Agent action logs: Retained per client contract terms (default: 12 months)
  • Upon termination: Client data returned and/or deleted within 30 days per DPA terms

Data Minimization

  • We collect only the data fields required to deliver the contracted service
  • Optional fields are clearly marked and never pre-filled
  • Data collection purposes are documented in our Privacy Policy and Data Processing Addendum
  • Regular data audits identify and remove unnecessary data accumulation
05

Agent Security

AI agents represent the core of K0nsult's service delivery. Agent security is therefore a first-class concern, with multiple overlapping controls to ensure safe, predictable, and auditable behavior.

Authority Boundaries (Mandates)

  • Each agent operates within a defined mandate specifying permitted actions and scope
  • Mandates define what the agent can do, what it cannot do, and when escalation is required
  • No agent can operate outside its assigned mandate under any circumstances
  • Mandate violations trigger automatic alerts and agent suspension

Human Oversight

  • Human override is available at every level of the agent hierarchy
  • Kill switches allow immediate suspension of any agent or agent group
  • Escalation protocols define when an agent must defer to a human operator
  • No agent output reaches the client without passing through defined quality gates

Audit Trail

  • Every agent action is logged with timestamp, action type, input, output, and decision rationale
  • Logs are immutable and tamper-evident
  • Full provenance chains from input to output for regulatory reporting
  • Audit logs are available to clients upon request as part of governance reporting

Quality Gates

  • Multi-stage validation pipeline before output delivery
  • Automated checks for accuracy, consistency, and compliance
  • Confidence scoring at each stage -- low-confidence outputs are flagged for human review
  • Peer review protocols for high-stakes outputs

Client Data Isolation

  • Strict tenant isolation -- agents cannot access other clients' data
  • Database-level row security policies enforce data boundaries
  • Agent context is scoped to the current engagement only
  • No cross-client data leakage is possible through the agent layer
06

Compliance Alignment

K0nsult aligns its security and governance practices with major regulatory frameworks. We provide alignment support and preparation -- not formal certification.

EU AI Act

EU AI Act Alignment

Risk classification mapping, transparency obligations, technical documentation, and human oversight requirements. We help clients prepare for formal assessment.

ISO 42001

ISO 42001 Principles

Our AI management system governance is aligned with ISO 42001 principles. Gap analysis and control mapping support available for clients pursuing certification.

GDPR / RODO

GDPR Compliance

Privacy by design, data minimization, lawful processing, DPIA support, data subject rights handling, and 72-hour breach notification.

Internal

Organizational Policies

Adaptable governance framework that integrates with client internal policies, risk appetite, and existing GRC infrastructure.

Important Disclaimer: K0nsult provides alignment support and governance preparation. Formal compliance certification requires engagement with accredited auditors and recognized certification bodies. Our role is to help you build the evidence base, controls, and documentation needed for those assessments.

07

Incident Response

K0nsult maintains a documented incident response procedure covering detection, containment, investigation, notification, and recovery.

Detection

  • Automated monitoring and alerting on all critical system components
  • Anomaly detection on API usage patterns and agent behavior
  • Log aggregation and real-time analysis for security events
  • Infrastructure health monitoring with automated escalation

Response Procedure

  • Identification: Classify incident severity (Critical / High / Medium / Low)
  • Containment: Isolate affected systems to prevent spread
  • Investigation: Root cause analysis with full audit trail review
  • Remediation: Apply fix, verify resolution, update controls
  • Post-Incident Review: Document lessons learned, update procedures

Notification

  • Data breach notification within 72 hours per GDPR Article 33
  • Affected clients notified directly with incident details and impact assessment
  • Supervisory authority notification where required by law
  • Post-incident report provided to affected clients

Contact

Security Contact: security@k0nsult.dev
For reporting security vulnerabilities or incidents. We acknowledge all reports within 24 hours.

08

Vulnerability Management

Proactive vulnerability management is integrated into our development lifecycle. We identify, assess, and remediate vulnerabilities before they can be exploited.

Dependency Security

  • Automated Scanning: npm audit runs on every CI/CD pipeline execution
  • Dependency Updates: Regular review and update of all third-party dependencies
  • Lock Files: Dependency versions are pinned to prevent supply chain attacks
  • Advisory Monitoring: Subscribed to security advisories for all critical dependencies

Container Security

  • Base Image: Minimal Alpine Linux images to reduce attack surface
  • Non-root Execution: Application processes run as non-root users
  • Image Scanning: Container images scanned for known vulnerabilities before deployment
  • Immutable Deployments: Containers are rebuilt from scratch on every deployment -- no in-place patches

Secure Development Practices

  • Code review required for all changes before merge to production
  • Secrets management via environment variables -- no secrets in source code
  • Separation of development, staging, and production environments
  • Regular security-focused code reviews and architecture assessments
Related Documents

Continue Your Review

These documents complement the Security Whitepaper and provide additional detail for enterprise evaluation.

Data Processing Addendum

Standard DPA template covering data processing terms, sub-processors, audit rights, and GDPR obligations.

Review DPA

Service Level Agreement

SLA tiers, availability targets, response times, escalation paths, and service credit policy.

Review SLA