We're a small EU-hosted team running real customer data. We don't have SOC 2 yet — and we're not going to lie about it. Here's what we actually do.
Practical, verifiable. If you need details for your procurement team, our DPA covers it.
TLS 1.3 in transit. AES-256 at rest for both Postgres and S3 attachments — keys managed in AWS KMS.
Argon2id for password hashes. Optional TOTP 2FA on every account. SAML / OIDC SSO available on Team and Business plans.
Daily encrypted snapshots. 30-day retention. Monthly restore tests run by the on-call engineer — not just a cron that nobody verifies.
Two-tier admin (org and project). Tamper-evident audit log on every Team plan. IP allowlists on Business.
Security researchers welcome. We respond within 48 hours, fix within the supported quarter, and credit you publicly when patched.
GDPR-aligned, EU-hosted (Frankfurt). DPA available on demand. SOC 2 Type II is on our 2026 roadmap — happy to share progress under NDA.
The third parties we share customer data with. We update this table whenever we add or remove one — subscribe via your workspace admin to get notified.
| Service | Purpose | Region | Since |
|---|---|---|---|
| AWS Frankfurt | Application hosting + S3 attachments | eu-central-1 | 2024-08 |
| SendGrid | Transactional email (verify, reset, invites) | EU pool | 2024-08 |
| Stripe | Payment processing & customer portal | EU + US | 2024-09 |
| Sentry (EU) | Application error monitoring (no PII) | eu | 2025-01 |
Email security@kagama.io — encrypted with the GPG key below. We acknowledge within 48 hours, ship a fix within the quarter, and credit you publicly once patched.