Built to be audit-grade.

KAPITAH® protects financial data with audit-grade controls: encryption in transit and at rest, role-based access, tenant isolation, immutable audit trail, and continuous monitoring. Security is a product requirement, not a checkbox.

• TLS 1.2+ for all data in transit, with HSTS enforced on every public endpoint.
• AES-256 for data at rest, including database, backups, and file storage.
• Application secrets stored in a managed secrets vault with restricted access.

• Role-based access inside the product with segregation-of-duties checks.
• SAML SSO and SCIM on Enterprise plans.
• Internal access is least-privilege, MFA-enforced, and logged.
• Production access is reviewed quarterly and revoked on role change.

Each customer's data is logically isolated by tenant identifier at the database row level, enforced by row-level security policies. AI features run scoped to the current tenant only — there is no cross-tenant retrieval.

Every financial mutation in the Service is recorded with actor, timestamp, before / after state, and request context. Audit records are append-only and cannot be edited from the application surface, including by admins.

• Continuous point-in-time backups with a 35-day retention window.
• Restores rehearsed quarterly.
• Target recovery time objective (RTO): 4 hours. Target recovery point objective (RPO): 5 minutes.

The Service runs on SOC 2 / ISO 27001-certified cloud infrastructure in the United States and the European Union. Network access is restricted via private networking and managed perimeter controls.

• Mandatory code review and CI-enforced static analysis on every change.
• Dependency scanning with automated security upgrades.
• Annual third-party penetration testing; summary letters available under NDA.
• Bug bounty: report vulnerabilities to security@kapitah.com.

AI requests are scoped to the requesting tenant and the requesting user's role. We do not send Customer Data to model providers for training. Prompts and completions are logged for abuse detection and retained for 30 days, then deleted.

We operate a 24/7 on-call rotation. Confirmed incidents that affect Customer Data are communicated to affected customers within 72 hours, with a written post-incident report once the root cause is established.

KAPITAH® uses a small number of sub-processors for hosting, email delivery, payments, error monitoring, and AI inference. A current list is available on request from security@kapitah.com. We give 30 days' notice before adding a new sub-processor that processes Customer Data.

SOC 2 Type II is in progress; reports are available under NDA upon request. The platform supports customer obligations under GDPR, UK GDPR, and CCPA via our Data Processing Addendum and in-product data export and deletion tooling.

Email security@kapitah.com. We acknowledge reports within one business day and do not pursue legal action against good-faith researchers who follow responsible disclosure.