Enterprise Evidence Room — Public Disclosure

K0NSULT Trust Center
Security, Compliance & AI Governance

Every claim backed by evidence. Every control mapped to status. This page exists so your InfoSec team does not have to ask twice — complete due diligence documentation in one place.

10Control Areas
EUData Residency
GDPRCompliant
99.9%Enterprise SLA
Book a Security Review Download Proof Pack
01 Security 02 Compliance 03 DPA 04 Security FAQ 05 AI Governance FAQ 06 Control Matrix 07 Retention 08 Incident Response 09 Architecture 10 Requests
Evidence Index

What evidence is available and how

We distinguish three tiers of evidence. Public evidence is available to anyone. NDA evidence is provided to qualified prospects after signing. Planned evidence is not yet available.

🌐 Public — no login required
  • ✓ Trust Center (this page)
  • ✓ Security Overview (TLS, encryption, access)
  • ✓ GDPR / DPA summary
  • ✓ Control Matrix
  • ✓ Data Retention Schedule
  • ✓ Incident Response Summary
  • ✓ Architecture Overview
  • ✓ AI Governance FAQ
  • ✓ Security Testing Coverage table
  • ✓ Assurance Roadmap
  • ✓ Public Sector path (/public-sector)
🔒 Under NDA — qualified prospects
  • ✓ Full Controls Self-Assessment
  • ✓ Backup Restore Test Report (Q1 2026)
  • ✓ Internal SAST / dependency scan logs
  • ✓ Penetration test report (post Q2 2026)
  • ✓ Subprocessor full list with DPA refs
  • ✓ Infrastructure diagram (detailed)
  • ✓ Pilot Scope Template
  • ✓ Security Summary (1-pager)
  • ✓ Claims-to-Proof Matrix (extended)
Request NDA Package →
🔜 Planned — not yet available
  • ○ SOC 2 Type II Certificate (Q3 2026)
  • ○ ISO 27001 Certificate (Q3 2026)
  • ○ ISO 42001 Certificate (Q4 2026)
  • ○ DAST scan report (in progress)
  • ○ SCIM provisioning docs (Q3 2026)
  • ○ Formal third-party pentest report (Q2 2026)
Notify me when available: kontakt@k0nsult.cloud
Section 01

Security Overview

Infrastructure-level and application-level security controls active in production across all K0nsult deployments.

Infrastructure
  • Provider: Fly.io — EU Region
  • Nodes: Frankfurt (primary) + Amsterdam (failover)
  • Machines: 3 machines, auto-scaling enabled
  • Uptime monitoring: Health checks every 30 seconds
  • Status dashboard: /status.html
  • DDoS mitigation: Fly.io edge layer
Encryption
  • In transit: TLS 1.3 enforced on all connections
  • At rest: AES-256 (PostgreSQL encrypted volumes)
  • Certificate: Let's Encrypt — auto-renewal
  • HSTS: max-age=31536000, includeSubDomains
  • Key rotation: Automated via Fly.io secrets management
Authentication & Authorization
  • Auth: JWT + Bearer token
  • SSO: Google OAuth2, SAML 2.0 (Azure AD, Okta) — LIVE
  • 2FA: TOTP available on all accounts
  • RBAC: 6 roles — Owner → Guest
  • SCIM: SCIM 2.0 planned Q2 2026
  • Token expiry: Configurable, rotation policy enforced
HTTP Security Headers
  • Content-Security-Policy: nonce-based (in progress)
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=()
  • HSTS: Strict-Transport-Security enforced
Rate Limiting
  • API endpoints: 500 req / 15 min per tenant
  • Static assets: 5,000 req / 15 min
  • Auth endpoints: 10 req / 15 min (brute-force protection)
  • Scope: Per-IP + per-tenant throttling
  • Response: HTTP 429 with Retry-After header
Monitoring & Observability
  • Health checks: Co 30 sekund — /health zwraca {ok: true, status: 'healthy'}
  • Database health: PostgreSQL + role + VM checks
  • Uptime target: 99.9% SLA (Enterprise)
  • Audit trail: All state-changing events logged (SHA-256)
  • Alerting: Fly.io metrics + application error tracking
  • KPI dashboard: Wewnetrzny panel governance (dostep po zalogowaniu)
Section 02

Compliance Status

Current posture against major regulatory and certification frameworks. Honest status — no greenwashing.

Framework Status Details
GDPR Compliant EU hosting only (Frankfurt + Amsterdam). DPA available on request. No tracking cookies. Server-side request logs only for service improvement — no third-party analytics tools, no analytics cookies, no tracking pixels. DSAR process implemented. Art. 17 erasure and Art. 20 portability endpoints live. No cross-border transfers outside EU.
EU AI Act In Progress AI system inventory registered (2,000+ agent profiles). Risk classification framework: prohibited / high-risk / limited / minimal. Human oversight controls implemented. Compliance tooling actively built. Target: Article 9 conformance by Q4 2026.
SOC 2 Type II Planned Q3 2026 Controls mapped to Trust Service Criteria (TSC). Evidence collection system active. Audit trail, access control, change management, and incident response procedures documented and operational. Audit engagement in preparation.
ISO 27001 Planned Q4 2026 Information Security Management System (ISMS) framework defined. Risk register maintained. Control objectives aligned to Annex A. Gap assessment complete. Certification audit planned Q4 2026.
ISO 42001 Planned Q4 2026 AI Management System requirements aligned. AI governance engine, policy engine, bias monitoring, and human oversight controls are foundational elements. Certification planned alongside ISO 27001 engagement.
Honest disclosure: K0nsult holds GDPR compliance through infrastructure choices, contractual controls, and technical implementation. Formal third-party certifications (SOC 2, ISO 27001, ISO 42001) are not yet held. We disclose this openly. Controls are mapped, evidence is collected, and audit preparations are underway. Enterprises with certification requirements may request our controls self-assessment at security@k0nsult.cloud.
Section 03

Data Processing Agreement (DPA)

Summary of key DPA terms. Full DPA template available on request via contact form or security@k0nsult.cloud.

Controller vs Processor Roles

K0nsult acts as a Data Processor when processing personal data on behalf of enterprise customers. Enterprise customers are the Data Controllers responsible for determining purposes and means of processing. For K0nsult's own operational data, K0nsult is the Data Controller.

Data Residency

  • All data stored exclusively in the EU
  • Primary: Frankfurt, Germany (eu-central)
  • Failover: Amsterdam, Netherlands (eu-west)
  • No data transfers outside the EEA
  • Standard Contractual Clauses (SCCs) available for enterprise DPAs

Sub-Processors Register

  • Fly.io — Application hosting (EU region, Frankfurt + Amsterdam)
  • Neon / PostgreSQL — Database hosting (EU region)
  • Stripe — Payment processing (PCI DSS Level 1)
  • Let's Encrypt — TLS certificate issuance (no data processing)
  • Google Fonts — Font delivery (non-personal, optional)

Retention Commitments

  • Configurable retention per tenant (Enterprise)
  • Default log retention: 90 days
  • Audit trail / evidence packs: 7 years
  • User data: account lifetime + 30 days post-termination
  • Deletion SLA: 30 days from valid erasure request
  • Backup retention: 30-day rolling window

Data Subject Rights

  • Art. 15 — Right of access: API export endpoint live
  • Art. 17 — Right to erasure: on-demand delete, 30-day SLA
  • Art. 20 — Data portability: full JSON export
  • DSAR process: submit via contact form or email
  • Response SLA: 30 calendar days

Security Obligations

  • Technical and organizational measures (TOMs) documented
  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Access control via RBAC (6-role hierarchy)
  • Incident notification SLA: 72 hours from discovery
  • Audit right: annual assessment or upon incident
Request DPA: Enterprise customers can request a signed Data Processing Agreement template. Contact via the contact form with reference trust-dpa or email security@k0nsult.cloud. We respond within 2 business days.
Section 04

Security FAQ

Answers to the most common InfoSec due diligence questions. Click any question to expand.

All customer data is stored exclusively in the European Union. Primary datacenter is Frankfurt, Germany (Fly.io eu-central region). Failover capacity is available in Amsterdam, Netherlands (Fly.io eu-west region). No data is transferred or replicated outside the EEA. PostgreSQL databases run on encrypted volumes with AES-256 at rest. Data residency is guaranteed at the contractual level in our DPA.

In transit: TLS 1.3 is enforced on all connections. TLS 1.0 and 1.1 are disabled. Certificates are issued by Let's Encrypt with automatic renewal. HSTS is enforced (max-age 1 year, includeSubDomains).

At rest: PostgreSQL data volumes are encrypted using AES-256. Fly.io machine volumes use encrypted block storage. Database credentials and application secrets are stored as Fly.io secrets (never in source code or config files).

Not yet. SOC 2 Type II certification is planned for Q3 2026. We are transparent about this. In the meantime:

  • All Trust Service Criteria (TSC) controls are mapped
  • Evidence collection is active across all control areas
  • Audit trail, access controls, incident response, and change management are documented and operational
  • A self-assessment questionnaire is available on request

To request our current security posture documentation, contact security@k0nsult.cloud.

K0nsult follows a 5-phase Incident Response procedure:

  • Detect — Automated monitoring, health checks, audit log anomaly detection
  • Contain — Isolate affected systems, revoke compromised credentials, block attack vectors
  • Eradicate — Remove root cause, patch vulnerability, update configurations
  • Recover — Restore from clean state, verify integrity, resume operations
  • Review — Post-mortem required for Critical/High incidents, lessons learned documented

Affected data controllers are notified within 72 hours of a confirmed breach, meeting GDPR Art. 33 obligations. Response SLAs: Critical <1h, High <4h, Medium <24h, Low <72h.

Annual third-party penetration testing is planned as part of the SOC 2 preparation program. Current security testing includes:

  • Continuous dependency vulnerability scanning (npm audit, Snyk)
  • SAST (Static Application Security Testing) via CI/CD pipeline
  • DAST (Dynamic Application Security Testing) — planned
  • Manual code review for security-sensitive changes

Results of penetration testing will be shared under NDA with enterprise customers upon request.

All secrets are managed following a zero-secrets-in-code policy:

  • Application secrets stored as Fly.io encrypted secrets (environment variables at runtime)
  • No secrets committed to version control — enforced via pre-commit hooks and .gitignore
  • Database credentials use separate service accounts per environment
  • JWT signing keys rotated on a defined schedule
  • API keys for third-party services are scoped to minimum required permissions
  • Secret rotation policy documented; rotation tested quarterly

Database backups are automated and tested:

  • Frequency: Daily automated backups of all PostgreSQL databases
  • Retention: 30-day rolling backup retention
  • Testing: Backup restoration tested quarterly
  • Encryption: Backup volumes encrypted at rest (AES-256)
  • RTO target: <4 hours for full service restoration
  • RPO target: <24 hours (daily backup cadence)

Full backup and restore documentation is available at /governance/backup-restore.html.

Google OAuth2 and SAML 2.0 are live on all plans. SCIM provisioning is planned for Q2 2026:

  • Google OAuth2 / OpenID Connect: LIVE (all plans)
  • Azure Active Directory: LIVE via SAML 2.0
  • SAML 2.0: LIVE (Azure AD, Okta)
  • SCIM 2.0: Planned Q2 2026 — currently manual provisioning
  • MFA/2FA: TOTP available on all accounts; SSO-enforced MFA on Enterprise

Contact kontakt@k0nsult.cloud to configure your identity provider integration.

SLA targets by plan:

  • Enterprise: 99.9% monthly uptime SLA (contractual)
  • Professional: 99.5% target (best-effort)
  • Starter: No SLA

Aktualny status platformy dostepny na /status.html. Endpoint /health zwraca minimalny status: {ok: true, status: 'healthy'}. Infrastruktura na 3 maszynach w 2 centrach danych EU z auto-failover. Scheduled maintenance windows are announced 48 hours in advance via email and status page.

Yes. K0nsult can complete standard vendor security questionnaires including:

  • CAIQ (Cloud Security Alliance Consensus Assessment)
  • SIG Lite (Shared Assessments Standard Information Gathering)
  • Custom InfoSec questionnaires provided by your organization

Please submit your questionnaire template via the contact form with reference trust-security or email security@k0nsult.cloud. Typical turnaround is 5 business days.

Section 05

AI Governance FAQ

Specific controls for AI systems operated on K0nsult. Relevant for EU AI Act compliance, enterprise AI procurement, and internal AI governance reviews.

K0nsult maintains an AI system inventory with risk classification aligned to the EU AI Act framework:

  • Prohibited: Systems in prohibited categories are blocked at policy engine level
  • High-risk: Mandatory human approval, full audit trail, explainability required
  • Limited risk: Transparency obligations enforced (user disclosure)
  • Minimal risk: Standard governance controls apply

All 2,000+ registered agent profiles include a risk classification field in the Agent Registry. Risk classification is reviewed and updated as EU AI Act guidance is published.

Human oversight is enforced through a multi-level approval workflow system:

  • Level A: Automatic execution — minimal risk, read-only actions
  • Level B: Notification-only — single reviewer informed post-execution
  • Level C: Pre-approval required — action queued until approved by authorized role
  • Level D: Multi-party approval — requires sequential or parallel sign-off by multiple roles

Break-glass procedures allow emergency override with mandatory post-incident review and audit record. All overrides are logged with actor identity, timestamp, and justification.

K0nsult maintains a comprehensive, tamper-evident audit trail for all AI agent actions:

  • Full execution replay capability — every step can be reconstructed
  • Evidence packs generated per execution run with SHA-256 artifact hashing
  • Governance score (A–D rating) computed per execution based on control adherence
  • Policy snapshot captured at execution time — proves what policy was active
  • Timeline: actor, action, target, timestamp, policy result, approval chain
  • Export formats: JSON (API), PDF evidence report (print-ready)

Evidence packs are suitable for regulatory submission and compliance audits. Retention: 7 years by default.

Agent permissions are enforced at multiple layers:

  • RBAC integration: Agents inherit permissions from the role under which they operate
  • Tool permission boundaries: Each agent profile defines allowed and prohibited tool categories
  • Execution caps: Per-agent rate limits and concurrency limits
  • Outbound allowlists: Network egress restricted to approved endpoints per connector policy
  • Connector-level policies: Each integration has its own allow/deny action matrix
  • Policy engine: Pre-execution evaluation on every agent action before it proceeds

Yes. K0nsult maintains a comprehensive AI System Inventory (Agent Registry) containing:

  • 2,000+ registered agent profiles across 55+ specialization packs
  • Capability taxonomy per agent (tools, domains, risk classification)
  • Deployment status (registered / active / deprecated)
  • EU AI Act risk category per agent
  • Oversight level requirements
  • Last-updated and version history

The registry is accessible via API (GET /api/agents) for enterprise tenants. A human-readable directory is available at /docs/agents_all.html.

Bias and fairness controls are integrated into the governance engine:

  • Monitoring: Output monitoring for anomalous patterns and distributional shifts
  • Policy engine: Automated checks can flag potential bias conditions pre-execution
  • Incident management: Bias-related incidents are tracked with severity classification
  • Human review: Bias incidents trigger mandatory human review before system continues
  • Model transparency: Tenants can inspect agent capability definitions and constraint sets

K0nsult does not operate its own foundation models. For third-party model integrations (Claude, GPT, etc.), we rely on provider bias controls and supplement with application-layer monitoring.

K0nsult builds transparency into every layer of AI governance:

  • Explainability module: Decision rationale logged for every policy evaluation
  • Decision logs: Full chain from trigger to outcome, including policy matches
  • Policy simulation: Test what any policy would decide against hypothetical input, without executing
  • User-facing disclosures: AI-generated content is labeled where applicable
  • Governance score: A–D rating on evidence packs shows adherence level
  • Public Trust Center: This page — permanent public disclosure of controls and limitations

Yes. K0nsult supports enterprise AI literacy and compliance programs through:

  • Training materials and documentation integrated into the platform
  • Compliance evidence generation — automated packs suitable for training records
  • Governance dashboard with role-specific views for non-technical stakeholders
  • Policy simulation tool for governance training scenarios
  • Onboarding flows covering AI governance obligations per role

Enterprise customers can request bespoke AI governance training materials tailored to their sector. Contact kontakt@k0nsult.cloud.

Claims Matrix

Claims-to-Proof Matrix

Every major claim on this site mapped to its status, evidence type, and availability. Updated: April 2026.

Claim Status Evidence type Availability
Policy engine enforces rules before execution ● LIVE Code + API demo Public / on request
Immutable audit trail with SHA-256 evidence export ● LIVE API response + export demo Public / demo session
Multi-level approval queue with SLA tracking ● LIVE API + workflow demo Public / demo session
RBAC with 6 roles, per-endpoint enforcement ● LIVE Code + API docs Public
Google OAuth SSO + TOTP 2FA ● LIVE Auth flow demo Public / demo session
EU hosting — Frankfurt / Warsaw region ● LIVE Fly.io region config Public
Daily encrypted backups, 30-day retention ● LIVE Restore test report NDA
Incident response — 72h GDPR Art.33 notification ● LIVE (process) Policy doc Public (this page)
TLS 1.3 encryption in transit ● LIVE SSL Labs / headers Public (verifiable)
AES-256 encryption at rest ● LIVE Infra config NDA
SAML 2.0 SSO ⚡ Enterprise plan Config on request Enterprise only
SCIM automated provisioning 🔜 Planned Q3 2026 Not yet available
SOC 2 Type II certification 🔜 Planned Q3 2026 Controls self-assessment now NDA (self-assessment)
ISO 27001 / ISO 42001 certification 🔜 Planned Q3–Q4 2026 Not yet available
Third-party penetration test 🔜 Scheduled Q2 2026 Report post-test NDA post-test
Last updated: April 2026  ·  Next review: July 2026  ·  Full extended matrix + evidence package: security@k0nsult.cloud
Section 06

Control Matrix

Mapping of all active security and governance controls to their evidence source and current operational status.

Control Area Control Evidence Status
Access Control JWT + RBAC (6-role hierarchy) Auth logs, role assignment records, per-endpoint permission matrix Active
Encryption TLS 1.3 in transit + AES-256 at rest Certificate records (Let's Encrypt), encrypted volume configuration Active
Logging Centralized audit trail, SHA-256 integrity Log exports via /api/audit, event replays, SIEM-ready JSON format Active
Change Management Versioned deployments, tagged releases Git commit history, Fly.io deploy logs, release tags Active
Incident Response 5-phase IR procedure documented Incident records, severity classification, SLA tracking, post-mortems Active
Business Continuity Primary runtime: Frankfurt (EU-FRA). Failover capacity: Amsterdam (EU-AMS). No contractual multi-region active-active. Auto-failover on health check failure. Health check (/health — minimalny status), uptime dashboard, failover test logs Active
Data Protection GDPR controls, Art. 17 erasure, Art. 20 export Privacy policy, DPA template, deletion SLA records, export endpoint Active
Vulnerability Mgmt Dependency scanning, SAST in CI/CD npm audit reports, Snyk scan outputs, CI pipeline logs Planned (DAST)
Agent Governance Policy engine + evidence packs + AI registry Governance packs (SHA-256), policy evaluation logs, agent registry exports Active
Third-Party Risk Sub-processor register, vendor reviews Sub-processor list (this page), Fly.io + Stripe compliance documentation Active
Section 07

Data Retention Schedule

Retention periods by data type, aligned to GDPR storage limitation principle and applicable regulatory obligations.

Data Type Retention Period Legal Basis
Application logs 90 days Operational necessity — diagnostic and security monitoring
Audit trail / evidence packs 7 years Legal and regulatory obligation — compliance evidence requirement
User account data Account lifetime + 30 days GDPR Art. 17 — erasure on account closure after 30-day cooling period
Incident records 5 years Compliance obligation — security incident documentation requirements
Automated backups 30 days rolling Disaster recovery policy — continuous rolling backup window
Session / authentication data 24 hours Security policy — short-lived tokens, session binding limits
Financial / billing records 7 years Tax and accounting regulations (EU member state laws)
DSAR request records 3 years GDPR accountability principle — demonstration of compliance
Configurable retention: Enterprise customers can configure custom retention periods per data category within the bounds of legal minimums and maximums. Contact security@k0nsult.cloud to review your tenant retention configuration. Automated purge is triggered by the retention engine based on data classification tags.
Section 08

Incident Response Summary

5-phase incident response procedure. Post-mortem required for all Critical and High incidents.

Phase 1
Detect
Automated monitoring, health checks, anomaly detection, user/team report
Phase 2
Contain
Isolate affected systems, revoke credentials, block attack vectors, preserve evidence
Phase 3
Eradicate
Remove root cause, apply patches, update configurations, validate clean state
Phase 4
Recover
Restore from clean backup, verify integrity, resume operations, monitor closely
Phase 5
Review
Post-mortem (mandatory Critical/High), lessons learned, control improvements

Response Time SLAs

Critical
< 1 hour
Complete service outage, data breach, active exploitation. Immediate all-hands response.
High
< 4 hours
Significant degradation, potential data exposure, authentication bypass. Senior engineer engaged.
Medium
< 24 hours
Partial feature outage, non-critical vulnerability, performance degradation exceeding SLA.
Low
< 72 hours
Minor issues, cosmetic bugs, informational findings. Addressed in normal sprint cycle.
Communication: Incident status is published on the status page and communicated to affected tenants via email. Data controllers are notified within 72 hours of a confirmed personal data breach in compliance with GDPR Art. 33. Post-mortems for Critical/High incidents are shared with affected enterprise customers under NDA on request.
Section 08

Security Testing Coverage

Transparency about what has been tested, how, and when. Updated quarterly.

Test type Status Last run Frequency Evidence
SAST (Static Analysis) ● LIVE Every deploy CI/CD pipeline Internal log
Dependency vulnerability scan ● LIVE Every deploy CI/CD + npm audit Internal log
Secrets scan (leaked credentials) ● LIVE Every commit Pre-commit hook Internal log
E2E functional tests (Playwright) ● LIVE Every deploy Post-deploy suite Internal log
Backup restore test ● LIVE Q1 2026 Quarterly Available under NDA
DAST (Dynamic Analysis) ⚡ IN PROGRESS Planned quarterly
Third-party penetration test 🔜 SCHEDULED Scheduled Q2 2026 Annual Report under NDA post-test
SOC 2 Type II audit 🔜 PLANNED Target Q3 2026 Annual Certificate post-audit
Why we publish this: Transparent security testing status is a core governance principle. We disclose what is tested, what is planned, and what gaps remain — so your InfoSec team can make informed decisions. Evidence reports for completed tests are available under NDA on request: security@k0nsult.cloud
Section 09

Architecture Overview

Request and data flow from client to data store. Every layer enforces a distinct security boundary.

// ── K0NSULT ARCHITECTURE — SECURITY & GOVERNANCE LAYERS ────────────────────────────────
//                                                                                        
//  Each layer is a discrete security and governance boundary.                           
//  No layer can be bypassed; all paths converge on the audit logger.                    
//                                                                                        

  [ Client Browser / Enterprise API Consumer / Mobile ]
                              │
                              │  HTTPS / TLS 1.3 (enforced, no downgrade)
                              ▼
  [ Fly.io Edge — Frankfurt (primary) + Amsterdam (failover) ]
                              │  DDoS mitigation, TLS termination, edge routing
                              │  3 machines, auto-scaling
                              ▼
  [ Rate Limiter ] ─────────────────────────────────────────────────── API: 500 req/15minStatic: 5000/15minAuth: 10 req/15min  [ Authentication Gateway ] ─────────────────────────────────────────── JWT validationToken expiry checkTOTP 2FA, Google SSOSAML 2.0 (Azure AD, Okta) LIVE  [ RBAC Middleware ] ────────────────────────────────────────────────── 6 roles: Owner→GuestPer-endpoint matrixTenant-scoped access  [ Policy Engine ] ──────────────────────────────────────────────────── Pre-execution evalblock/warn/approve/escalate outcomesConfigurable per tenant  [ Route Handler / Business Logic ] ─────────────────────────────────── Input validation
          │                   │                                              Sanitization
          │                   │
          ▼                   ▼
  [ Governance Engine ]    [ Agent Registry ]
     Approval queues           2,000+ profiles
     Evidence packs            Skill marketplace
     Incident mgmt             Capability matching
          │                   │
          ▼                   ▼
  [ Audit Logger ] ──────────────────────────────────────────────────── Append-only logactor/action/target/tsSHA-256 integrity hash7-year retention  [ PostgreSQL — EU Only ] ───────────────────────────────────────────── AES-256 at rest
                                                                             Row-Level Security (RLS)
                                                                             Per-tenant isolation
                                                                             Frankfurt + Amsterdam

// ── SECURITY HEADERS ON ALL RESPONSES ──────────────────────────────────────────────────
//
//  Strict-Transport-Security:  max-age=31536000; includeSubDomains
//  Content-Security-Policy:    nonce-based (migration in progress)
//  X-Frame-Options:            DENY
//  X-Content-Type-Options:     nosniff
//  Referrer-Policy:            strict-origin-when-cross-origin
//  Permissions-Policy:         camera=(), microphone=(), geolocation=()
Enterprise Due Diligence

Ready to Start Your
Compliance Review?

Download the DPA template, request a completed security questionnaire, or schedule a compliance review call with our security team. We respond within 2 business days.

Download DPA Template Request Security Questionnaire Schedule Compliance Review

Email: security@k0nsult.cloud  |  Privacy Policy  |  Terms of Service

Compliance & Security Posture
GDPR
DPA Available
SOC 2
Roadmap Q2 2026
EU AI Act
Controls Mapped
TLS 1.3
In Transit Encryption
AES-256
At Rest Encryption
All certifications and compliance statuses are documented with evidence in our Proof Pack. Enterprise customers receive custom compliance packages on request.