Security as a precondition, not a feature.
Borrowers trust you with their most sensitive documents — IDs, payslips, bank statements, tax filings. We treat that trust as our highest obligation. Built from day one for regulated lenders in Mexico, Singapore, Indonesia, and the United States.
ISO 27001
International standard for information security management systems. Risk assessment, security controls, continuous improvement. Engagement letter available on request.
SOC 2 Type II
Independent audit of security, availability, and confidentiality controls over a sustained observation period. Engagement letter available on request.
The foundation, not a finishing layer.
Controls layered from the network edge to the disk. Defaults are strict; exceptions are deliberate, scoped, and logged.
Encryption everywhere
AES-256 at rest, TLS 1.3 in transit. Document data encrypted before it touches disk. Keys rotated automatically and stored in a managed key service with split-knowledge access.
Identity & access
SSO via SAML 2.0 (Okta, Azure AD, Google Workspace) on Enterprise. MFA enforced for all human access. Role-based permissions, scoped API keys per environment, session timeouts.
Network security
Private VPC networking, no public ingress to compute. Edge WAF and DDoS protection in front of every public endpoint. Egress allowlists for outbound traffic.
Tenant isolation
Strict logical separation between customer environments. No data, compute, or model context shared across tenants. Dedicated environments available on Enterprise.
Audit logging
Every document processed, every field extracted, every decision made — logged with timestamps, user, and request ID. Logs streamable to your SIEM. Tamper-evident, retained 12+ months.
Data residency
Region-pinned in our active markets — United States, Mexico, Singapore, Indonesia. Your data stays in the region you pick. Cross-region replication only with your explicit opt-in.
The code path is part of the threat model.
Vulnerabilities are easier to prevent than to remediate. We bias the development process toward catching issues before they ship.
Threat-modeling on every new surface. Mandatory peer review and security review for changes touching auth, encryption, or data egress. Branch protection on every repo.
Automated SAST runs on every pull request. Dependency vulnerability scanning blocks known CVEs from shipping. Container images scanned at build and at runtime.
No long-lived credentials in code. All secrets vaulted, accessed via short-lived tokens, rotated on a fixed schedule and immediately on personnel changes.
Locked dependency manifests, signed builds, and reproducible CI. SBOM available on request. Third-party libraries reviewed before introduction.
Encrypted at every step. Retained only as long as you say.
You set retention. Defaults can be same-day purge. Deletion propagates to backups within the window in your DPA.
Documents arrive via API, portal, or SDK over TLS 1.3. Pre-signed URLs scoped to a single upload, never reusable.
Vision-language models read documents inside isolated, single-tenant compute. No cross-tenant context, no shared memory.
Structured fields, qualitative reads, and fraud signals returned to your stack. Outputs encrypted in transit and at rest.
Documents and outputs retained only as long as your contract specifies. Default retention is configurable per environment, including same-day purge.
On retention expiry, contract end, or written request, data is purged from primary storage and backups within the timelines in your DPA.
Your data is yours. We process it; we don't repurpose it.
Contractual commitments and operational defaults that match the privacy regimes our customers answer to.
Data Processing Addendum
A DPA is available before signing. Defines roles (controller / processor), security obligations, sub-processing, and data-subject rights handling.
Cross-border transfers
Standard Contractual Clauses (SCCs) and equivalent transfer mechanisms available where customer data crosses jurisdictions.
Data subject requests
Access, rectification, deletion, and portability requests routed through your nominated controller and answered within statutory windows.
No secondary use
Customer documents and extracted data are used only to deliver your contracted services. Never sold. Never shared. Not repurposed for any other product or model.
The third parties that touch the platform.
Each subprocessor is bound by a written agreement that mirrors our obligations to you. The full named list, including regions and purpose, is available on request.
Material changes to this list are communicated in advance. Customers under contract may object to a new subprocessor with cause.
We plan for the bad day before it happens.
Resilience drills run on a documented cadence. When something does go wrong, the playbook is already written.
Encrypted backups taken on a fixed cadence with point-in-time recovery for primary data stores. Restoration tested on a documented schedule.
Multi-AZ architecture by default. Regional failover playbooks exercised regularly. RPO and RTO targets documented in our DPA.
Documented IR plan with severity levels, on-call rotation, and escalation paths. Affected customers notified without undue delay — typically within 72 hours of confirmed impact — with scope, timeline, and remediation.
Annual third-party penetration tests, summary report available under NDA. Continuous internal scanning. Responsible disclosure: email security findings to support@usekita.com.
The strongest control is who has access.
Vetting, training, and least-privilege access apply to everyone with a path to production data.
Background-checked engineers
All team members with access to production undergo background checks consistent with the laws of the jurisdictions we operate in.
Annual security training
Every team member completes security and privacy training on hire and annually. Engineers receive additional secure-coding training.
Confidentiality by contract
NDAs and confidentiality clauses signed before any access to customer data or production systems. Bound by contract well beyond employment end.
Least-privilege access
Production access provisioned per least-privilege, time-bound, MFA-gated, and revoked the same day on offboarding. Quarterly access reviews.
The questions every InfoSec team asks.
Need something more specific? Email support →- 01
Where is my data stored?
You pick the region. We comply with data storage regulations in the markets we actively operate in — the United States, Mexico, Singapore, and Indonesia. Documents are encrypted at rest with AES-256 and in transit with TLS 1.3, and stay in the region you pick unless you opt in to cross-region replication.
- 02
How is customer data used?
Customer documents and extracted data are used only to deliver the services you contracted, consistent with our agreement. Your data is never sold and never shared with third parties. It is not repurposed for any other product or model.
- 03
What certifications do you hold?
We are in active engagement for both ISO 27001 and SOC 2 Type II. Engagement letters from our auditors are available on request via support@usekita.com. Our controls are mapped to the Trust Services Criteria today.
- 04
Do you offer a Data Processing Addendum?
Yes. A DPA is available before signing and defines roles, security obligations, sub-processing, and data-subject rights handling. Standard Contractual Clauses are available where customer data crosses jurisdictions.
- 05
How do retention and deletion work?
Retention is configurable per environment and per contract. Documents can be purged immediately after processing or held for a defined window. On retention expiry, contract end, or written request, data is purged from primary storage and backups within the timelines in your DPA.
- 06
Who are your subprocessors?
A categorized list is on this page. The full named-subprocessor list, including regions and purpose, is available on request via support@usekita.com. We notify customers ahead of any material change.
- 07
How do you handle SSO and provisioning?
SSO via SAML 2.0 (Okta, Azure AD, Google Workspace) is available on Enterprise. MFA is enforced on all human access by default. SCIM-based provisioning available on request.
- 08
What happens if there is a security incident?
We follow a documented IR plan with defined severity levels, on-call rotation, and escalation. Affected customers are notified without undue delay — typically within 72 hours of confirmed impact — with scope, timeline, and remediation steps.
- 09
How often do you pen-test?
Annual third-party penetration tests against the production environment, with continuous internal scanning between cycles. The latest summary report is available under NDA via support@usekita.com.
- 10
Can I get your security documentation?
Yes. Security questionnaire responses, penetration-test summary, architecture diagrams, DPA, and SCCs are available on request. Email support@usekita.com.
- 11
Do you support BYO-encryption keys or VPC deployment?
VPC and on-prem deployments are available on Enterprise. Customer-managed keys are scoped per deployment. Talk to support@usekita.com if you have a specific architecture in mind.
- 12
How do I report a vulnerability?
Email support@usekita.com with details. We acknowledge within one business day, validate, and respond with a remediation plan. Coordinated disclosure is welcomed.