Trust center

Security & compliance, engineered in.

Kumago signs off on your clients' NIS2 reports. We hold ourselves to the same standard we help you deliver, and publish the evidence.

security@kumago.eu

Certifications

Verified by independent auditors.

Our certifications validate the strength of the platform. When you tell a client "Kumago handles this," the evidence is on file.

Certified

ISO 27001

Independent validation of our Information Security Management System, covering people, processes, and infrastructure.

Certified 2025 · annual surveillance audit

Aligned

GDPR

We process personal data under EU GDPR. Data processing agreement available on request. All data hosted in the EU.

Hosted in Frankfurt · DPA on request

In progress

SOC 2 Type II

Annual independent audit of controls across security, availability, confidentiality, and privacy. Type II report targeted for Q3 2026.

Target report · Q3 2026

Architecture

Security engineered into every layer.

We didn't bolt this on later. From key custody to access control, the controls below are how Kumago is built, not how it's configured.

Encrypted end to end

TLS 1.2+ in transit, AES-256 at rest. Encryption keys rotated automatically; HSM-backed key custody.

Access & identity

MFA enforced for every account. SSO/SAML on demand. Role-based access with least-privilege defaults.

EU-only infrastructure

Hosted on AWS Frankfurt inside an isolated VPC. No data leaves the EU. Daily backups, multi-AZ failover.

Tested by outsiders

Annual third-party penetration tests, continuous vulnerability scanning, and a responsible disclosure programme.

Privacy

Privacy built in, not policed on top.

GDPR, CCPA, and HIPAA-style obligations are baked into the data model, not a checkbox layered over it. Your clients can prove compliance because we already do.

Data minimization

We only process the data needed to deliver the service. No marketing-grade tracking on client data.

User rights

Access, correction, and deletion requests are honoured within statutory timelines, end-to-end audited.

Transparent processing

Documented purposes, lawful bases, and sub-processor inventory, published and kept current.

Operations

Continuous monitoring. Continuous improvement.

Security isn't a launch milestone. It's the operating cadence: testing, training, auditing, repeating.

Continuous monitoring

Security telemetry from every layer, 24/7 alerting, on-call escalation paths documented.

Security training

Every team member completes onboarding and annual security training, including phishing simulation exercises.

Independent audits

Third-party assessors review controls each year. Findings tracked to closure inside our own platform.

Got a security or privacy question? Our team replies inside one business day.

Security desk

Talk to the team behind the controls.

security@kumago.eu