Security at Kota

At Kota, we are dedicated to providing world-class data protection standards to ensure your data's safety and compliance with regulatory requirements. Below, you will find detailed information on our security approach. For further inquiries, contact us at security@kota.io.

You can visit our trust center to request copies of our policies, our ISO audit report and view our real-time controls monitoring. 

Highlights

- Hosted in the EU

- ISO27001:2022 compliant

- GDPR compliant

- Multi-layer encryption

- PCI compliant payments

EU Hosted Infrastructure

Our infrastructure is hosted on servers within the European Union, enabling us to meet the specific regulatory and compliance needs of European organisations. We utilise Microsoft Azure, which holds multiple certifications, including ISO 27001, SOC 1, SOC 2, SOC 3, HIPAA, GDPR and more. All data is encrypted both in transit and at rest with strong encryption (AES256).

ISO27001:2022 Compliance

Kota has completed its ISO27001:2022 audit, validating the effectiveness of our security processes and controls. Our approach to product design, architecture, automated monitoring, and formal policies ensures our security posture remains up-to-date.

GDPR Commitment

Kota is committed to complying with the General Data Protection Regulation (GDPR) and assisting our customers in achieving compliance.

Data Centre Security

Our hosting environment is fully redundant and includes disaster recovery procedures. Our cloud hosting providers, including Google Cloud Platform, maintain several certifications for their data centers, such as ISO 27001, PCI certification, and SOC. More information on their certifications and compliance can be found on the Google Cloud Platform security site.

Data Backups

We perform daily automated backups of our databases to ensure data safety and availability.

Log Collection

We maintain detailed logs to provide a high-resolution trail of actions performed across the platform, aiding in incident investigations if needed.

Communication

All user data is securely transported with encryption in transit via SSL, protecting it from unauthorised access, modification, and man-in-the-middle attacks. We employ 256-bit SSL/TLS 1.3 encryption, using both ECDSA and RSA algorithms.

Multi-Layer Encryption

Beyond standard encryption in transit and at rest (AES256), we also utilise at-work encryption in our database. This ensures sensitive data remains encrypted during database operations, protecting it from exposure during maintenance and service activities.

Debit and Credit Cards

Kota partners with Stripe for payment card processing, ensuring we do not store any credit card information. Stripe meets PCI Service Provider Level 1 standards, using AES256 encryption at rest, which is the highest certification available in the payments industry.

Employee Access is controlled and regularly reviewed

Access to customer data is strictly limited and audited. Only necessary personnel can access the system, and multiple layers of controls are in place. Access sessions require valid consent or justification and are subject to an auditing access path.

Data Breach Disclosure

In the event of a data breach involving personal data, we will promptly notify the local authority and the affected individuals (data subjects).

Processing of Company Personal Data

Kota complies with all applicable Data Protection Laws when processing Company Personal Data, ensuring data is processed only according to the relevant Company's documented instructions.

Software Updates

Automated systems monitor the versions and vulnerabilities of all code powering Kota. Our infrastructure is continuously updated to the latest, most secure software versions.

Automated Tests

Extensive automated tests are run after each code change to verify the correctness of Kota features, including authentication and the permission system.

HTTP Strict Transport Security

Our application enforces HTTPS for all requests, securing all traffic in transit and protecting against protocol downgrade attacks.

Security Headers

We use a range of security headers, including X-Frame-Options, X-XSS-Protection, and Content-Security-Policy, to mitigate common security issues.

Reporting Security Issues

If you discover a vulnerability in Kota or have a security incident to report, please contact us at security@kota.io.

By submitting a report, you agree not to disclose your findings or submission contents to third parties without Kota’s prior written approval. Detailed and quality reporting, including a working proof of concept, is essential to us.