Enterprise Trust Center

Security & Trust Center

Transparency is the foundation of enterprise trust. Here you will find everything you need to evaluate K0nsult's security posture, data protection practices, and compliance alignment.

Last security posture review: March 2026. Next scheduled review: June 2026. Reviews conducted quarterly.
Security

Security Architecture

Enterprise-grade infrastructure with defense-in-depth across every layer of the stack.

Hosting & Infrastructure

  • Fly.io Frankfurt (EU) region — ISO 27001-certified data center
  • Dedicated application instances with resource isolation
  • Automated health checks and zero-downtime deployments
  • Private networking between application components

Encryption

  • TLS 1.3 encryption for all data in transit
  • PostgreSQL encryption at rest (AES-256)
  • Encrypted backups with separate key management
  • HTTPS enforced on all endpoints — no plaintext fallback

Network Isolation

All application components run within isolated private networks. Database access is restricted to application-level connections only — no public database endpoints. Inter-service communication uses encrypted internal DNS. Edge routing with DDoS protection at the CDN layer.

Security

Security Headers (Verified)

All responses include the following security headers (verifiable via curl -sI https://k0nsult.fly.dev/health):

  • Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'...
  • Strict-Transport-Security: max-age=31536000; includeSubDomains
  • X-Frame-Options: SAMEORIGIN
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=()
  • Rate Limiting: 1000 requests per 15 minutes per IP

X-Powered-By header is removed (helmet.js). Verify: curl -sI https://k0nsult.fly.dev/health | grep -i x-powered returns empty.

CI/CD Pipeline

  • Source Control: GitHub — github.com/0n40i4/k0nsult
  • CI/CD: GitHub Actions — ESLint + Jest on push/PR to main
  • Testing: 87 Jest tests (security, API, SEO, pages)
  • Deployment: Fly.io rolling deploy (zero downtime)
  • Infrastructure: Multi-region — Frankfurt (2x) + Amsterdam (1x)
Data Protection

Your Data, Your Control

We collect the minimum data necessary and keep it within the EU.

Data Residency

  • All data stored in EU (Frankfurt, Germany)
  • No data transfer outside EEA
  • Backups stored in same EU region

Data Retention

  • Contact data: 24 months, then purged
  • Analytics data: 12 months, anonymized
  • Project data: retained per contract, deletable on request

Minimal Collection

  • Only essential data collected for service delivery
  • No third-party tracking scripts or pixels
  • No advertising cookies or behavioral profiling

No Third-Party Tracking

  • Zero third-party analytics (no Google Analytics)
  • Essential cookies only
  • No data sold or shared with third parties
Access Control

Authentication & Authorization

Multi-layered access control ensures only authorized users and systems interact with your data.

Authentication

  • JWT (JSON Web Token) based session management
  • API key authentication for programmatic access
  • Token expiration and rotation policies
  • Secure password hashing (bcrypt)

Authorization

  • Role-Based Access Control (RBAC) with granular permissions
  • Principle of least privilege enforced
  • Rate limiting on all API endpoints
  • Complete audit trail of all access events
Compliance

Compliance Alignment

Our platform is designed with regulatory requirements in mind from the ground up.

EU AI Act

K0nsult provides alignment support for the EU AI Act. Our governance framework includes risk classification assistance, human oversight mechanisms, transparency documentation, and agent registry that supports compliance documentation requirements.

ISO 42001

Our AI management system principles are aligned with ISO/IEC 42001 requirements. We maintain documented processes for AI lifecycle management, risk assessment, and continuous improvement that follow the standard's framework.

GDPR Compliance

K0nsult is built for GDPR compliance. EU data residency, data minimization, right to erasure, data portability, explicit consent mechanisms, 72-hour breach notification, Data Processing Agreement (DPA) available for all enterprise clients. Our Privacy Policy and Terms of Service are fully aligned with GDPR requirements.

Disclaimer: K0nsult provides preparation support, alignment guidance, and governance tooling to help organizations work toward compliance. Our services do not constitute legal advice or certification. Organizations should conduct their own legal review and, where applicable, engage accredited certification bodies for formal certification.
Agent Security

AI Agent Governance Controls

Every agent operates within strict boundaries with mandatory human oversight.

Mandate Boundaries

  • Every agent has a defined scope of operations (mandate)
  • Actions outside mandate are blocked and logged
  • Mandate changes require authorized human approval

Human Override

  • Human-in-the-loop for critical decisions
  • Emergency stop capability on all agents
  • Escalation protocols with defined SLAs

Quality Gates

  • Pre-deployment testing and validation
  • Continuous performance monitoring
  • Automated quality scoring with thresholds

Agent Isolation

  • Each agent runs in an isolated execution context
  • No cross-client data access
  • Sandboxed environments for agent operations
Incident Response

Incident Response Protocol

Clear, documented procedures for detecting, responding to, and recovering from security incidents.

Detection

  • Automated monitoring and alerting on all critical systems
  • Anomaly detection on API access patterns
  • Real-time log aggregation and analysis

Escalation & Notification

  • Defined escalation tiers: L1 (automated) → L2 (engineering) → L3 (management)
  • 72-hour breach notification per GDPR Article 33
  • Affected clients notified within 24 hours of confirmed breach
  • Post-incident report delivered within 5 business days

Security Contact

Report security vulnerabilities or concerns: security@k0nsult.dev. Responsible disclosure is welcome. We commit to acknowledging reports within 24 hours and providing an initial assessment within 72 hours.

Vulnerability Disclosure

Vulnerability Disclosure Policy

We welcome responsible security research and are committed to working with the community to resolve vulnerabilities.

Scope

  • All publicly accessible K0nsult services and APIs at k0nsult.fly.dev

Out of scope: Third-party services, social engineering, denial of service

Response Timeline

  • Acknowledgment within 24 hours
  • Initial assessment within 72 hours
  • Fix target within 30 days

Safe Harbor

We will not pursue legal action against researchers acting in good faith. Good faith means: no accessing or modifying other users' data, no degrading service availability, and promptly reporting findings to security@k0nsult.dev.

Business Continuity

Backup Policy & Recovery

Defined recovery objectives ensure your data is protected and services can be restored quickly.

Backup Schedule

  • Automated database backups every 6 hours (RPO: 6 hours)
  • Backups encrypted at rest, stored in separate availability zone
  • Recovery procedures tested quarterly

Recovery Targets

  • Infrastructure recovery target: 4 hours (RTO: 4 hours)
  • Recovery Point Objective (RPO): 6 hours maximum data loss
  • Documented runbooks for all recovery scenarios
Access Control

Role-Based Access Control Matrix

Granular permissions mapped to each role, enforcing least-privilege across the platform.

Role Agent Registry Mission Control Audit Logs Admin Panel Billing
Owner Full Full Full Full Full
Admin Read/Write Read/Write Read Read/Write Read
Operator Read/Write Read/Write Read None None
Auditor Read Read Full Read None
Guest Read (public) None None None None
Audit

Audit Trail Details

Comprehensive, immutable logging of all security-relevant events across the platform.

What Is Logged

  • All API calls, authentication events, permission changes, and agent actions are logged
  • Logs retained for 12 months minimum
  • Logs are append-only (immutable) and integrity-verified
  • Access to audit logs restricted to Owner and Auditor roles
  • Log format: JSON with timestamp, actor, action, resource, result, IP

Example Log Entry 

{
  "timestamp": "2026-03-23T01:24:00Z",
  "actor": "agent-k02",
  "action": "process_assessment",
  "resource": "client-intake-42",
  "result": "success",
  "ip": "10.0.0.1"
}

Every log entry follows this structured JSON format, enabling automated analysis, compliance reporting, and forensic investigation when needed.

Access Governance

Access Reviews

Regular access reviews ensure permissions remain appropriate and least-privilege is maintained.

Review Policy

  • Access reviews conducted monthly by system owner
  • Least privilege principle enforced: permissions granted per-role, not per-user
  • Unused accounts deactivated after 90 days of inactivity
  • All privilege escalations require explicit owner approval and are logged
Secret Management

Secret Management

All sensitive credentials are managed with strict controls to prevent exposure and ensure timely rotation.

Storage & Protection

  • All API keys, credentials, and tokens are stored in encrypted environment variables
  • No secrets in source code or configuration files
  • Secrets are injected at runtime via platform-level secret management

Key Rotation Policy

  • API keys rotated quarterly
  • Database credentials rotated on infrastructure changes
  • JWT signing keys rotated annually
  • All rotation events are logged in the audit trail
Log Retention

Log Retention Policy

Defined retention periods ensure logs are available for compliance and forensic purposes, while being responsibly archived and deleted.

Retention Periods

Log Type Retention Period
Security event logs 36 months
Application logs 12 months
Access logs 12 months
Audit trail 36 months (or client contract duration, whichever is longer)
Backup logs 6 months

Logs are automatically archived after their retention period and permanently deleted after an additional archive period of 12 months.

Due Diligence

Security Due Diligence Checklist

Enterprise clients can use this checklist to evaluate K0nsult's security posture as part of their vendor assessment process.

Security Due Diligence Checklist for Enterprise Clients

  • Data hosting location and jurisdiction confirmed
  • Encryption standards reviewed (at rest + in transit)
  • Access control model reviewed (RBAC)
  • Audit trail capabilities verified
  • Incident response procedure reviewed
  • DPA / sub-processor list received
  • Backup and recovery targets confirmed (RPO/RTO)
  • Vulnerability disclosure policy reviewed
  • Compliance alignment verified (GDPR, AI Act)
  • Security contact established

Need help completing this checklist? Contact security@k0nsult.dev and we will schedule a security walkthrough.

Sub-processors

Sub-processors & Third Parties

We maintain a minimal sub-processor footprint to reduce risk.

Sub-processor Service Location Data Processed Status
Fly.io Application hosting & compute Frankfurt, Germany (EU) Application data, user sessions Active
PostgreSQL (Fly.io Managed) Database hosting Frankfurt, Germany (EU) All persistent data Active
Note: We will notify enterprise clients at least 30 days before adding any new sub-processor. Clients have the right to object per the Data Processing Agreement.

See our Procurement Pack for vendor assessment details →

Documentation

Documents Available

All the documentation your procurement and security teams need, ready for review.

Security Whitepaper DPA Template SLA Document Privacy Policy Terms of Service Procurement Pack
Reliability

Status & Uptime Commitments

Tiered availability commitments that match your business requirements.

Metric Starter Professional Enterprise
Uptime SLA 99.0% 99.5% 99.9%
Max Monthly Downtime ~7h 18m ~3h 39m ~43m
Maintenance Window Sunday 02:00-06:00 CET Sunday 02:00-04:00 CET Coordinated, 48h notice
Incident Response Best effort < 4 hours < 1 hour
Status Updates Email Email + dashboard Email + dashboard + Slack

Contact Our Security Team

Questions about our security posture? Need documentation for your review? Responsible disclosure? We are here to help.

security@k0nsult.dev Book Consultation

Responsible disclosure is welcome. We acknowledge all reports within 24 hours.

EN | PL