Security

We're an early-stage company
holding sensitive data. We take that seriously.

Kumo is built with privacy and security as first-order design constraints, not a checkbox project we run before each big deal. This page is an honest summary of what's live today, what's in progress, and what we'll happily put in writing.

Report a vulnerability Request security overview
GDPR alignment
UK ICO registered

We follow GDPR by design. DPA available on request.

SOC 2 Type I
In progress · target Q4 2026

Currently in observation window with our auditor.

SOC 2 Type II
Planned · post Type I

Will follow Type I; 12-month observation thereafter.

Independent pen-tests
Annual · most recent Mar 2026

Summary report available under NDA on request.

Controls in production today

What we already do, without asterisks.

Everything below is live for every customer on every plan. We'll happily walk through any of it on a call, share architecture diagrams under NDA, or take a security questionnaire.

Encryption

Data is encrypted at rest and in transit, end-to-end, across the platform.

  • AES-256 at rest (database, blobs, backups)
  • TLS 1.3 in transit, HSTS preloaded
  • Customer-managed keys planned for enterprise

Authentication

Strong auth by default, with enterprise options on higher plans.

  • Google & Microsoft SSO on every plan
  • SAML and SCIM on Operate and Global
  • TOTP/Hardware-key MFA available

Access & permissions

Role-based access control down to the field, with sensitive-action approvals.

  • Standard & custom RBAC roles
  • Field-level permissions for sensitive data
  • Time-bound elevation for support access

Audit log

Every action, every API call, every approval is logged immutably.

  • Append-only event log, retained 7 years
  • Searchable & exportable to your SIEM
  • Webhooks for real-time forwarding

Data residency

Choose where your tenant lives, and we keep it there.

  • EU (Frankfurt) and UK (London) regions live
  • US (Virginia) region for US customers
  • APAC region in private beta

Tenant isolation

Customer data is isolated at the application and storage layer.

  • Row-level isolation enforced in code & database
  • Dedicated tenant IDs on every record
  • Separate encryption keys per tenant

Backups & resilience

Multi-region backups and tested restores, not just nightly snapshots.

  • Point-in-time recovery to any second, last 35 days
  • Cross-region replication for primary stores
  • Restore drills run quarterly

Vulnerability management

External pen-tests, internal scanning, and a dedicated security on-call.

  • Annual third-party pen-test (last: Mar 2026)
  • Daily dependency & container scans
  • Critical CVE remediation SLA: 7 days

Uptime & resilience

Public status page, real incident comms, sensible targets.

  • Target 99.9% across the platform today
  • Status page with sub-component health
  • Formal SLA on Global / enterprise contracts
AI & data use

Your data trains nothing but your own answers.

Kumo AI is the most-asked-about part of our security posture. The short version: your data stays yours, the model only sees what your asking user is allowed to see, and every AI action is logged and reversible.

Not used for training

Your prompts and your data are used to answer your queries, full stop. They are not used to train Kumo's models or any third-party model.

Permission-aware retrieval

The AI retrieves only records the asking user is allowed to see, evaluated against the same RBAC layer as the rest of the platform.

Cited & explainable

Every AI answer cites the records it pulled. Every AI action explains its reasoning in plain language and surfaces what it changed.

Reversible by default

Any AI action can be rolled back in one click. Critical actions (pay changes, terminations) always require explicit human approval.

Subprocessors

Who else touches your data.

A current, honest list of every vendor we use to deliver Kumo. We'll notify you in writing before adding any new subprocessor that processes customer data.

Provider
Purpose
Hosting region
Amazon Web Services
Primary cloud hosting & storage
EU · UK · US · APAC
Cloudflare
CDN, DDoS, edge WAF
Global
Stripe
Billing & subscription management
EU · US
Anthropic
LLM inference for Kumo AI (no training)
EU · US
Postmark
Transactional email delivery
US (EU residency available)
Linear
Internal issue tracking (metadata only)
EU
Datadog
Observability & logging
EU

Last updated 26 May 2026. Want the change-log? Ask security@kumohr.com to add you to the subprocessor notification list.

Responsible disclosure

Found something? Tell us, please.

We treat security researchers as collaborators. If you've found a vulnerability, please report it via the channels below. We respond within one business day and won't take legal action for good-faith research.

Report a vulnerability in writing.

We accept reports via PGP-encrypted email or our HackerOne program. We'll acknowledge receipt within one business day, triage within three, and tell you what we're doing about it within ten. Hall-of-fame credit for valid reports; bounties for impactful ones.

@
security@kumohr.com

PGP key: 0xA1F0 3E92 …

Email
HackerOne program

Private invite available on request

Request invite
Trust documentation

DPA · sub-processor list · pen-test summary

Request

Want to go deeper?

Pen-test summaries, architecture diagrams, security questionnaire responses, all available on request.

Talk to our security team Download trust pack