KMT logo

SECURITY & TRUST

Security built in, not bolted on.

We install the systems that run your business, so we hold your data to ISO 27001 / SOC 2 principles from day one — not as paperwork after the fact.

Secure by design · least privilege · encrypted · audit logged

A straight answer on certification: we are not making a claim to be formally SOC 2 or ISO 27001 audited today. What we do commit to is building to those frameworks' principles — the controls below — from the first day of an engagement, so the path to a formal audit is short rather than a rebuild.

THE CONTROLS

What “secure by design” actually means.

The controls we build into every system we install — and hold ourselves to.

Identity, SSO & MFA

One identity, enforced everywhere. We stand systems up so access requires single sign-on with multi-factor authentication — no shared logins, no standing passwords lying around.

Least-privilege access

People and systems get only the access the job needs, and nothing more. Roles are scoped, reviewed, and revoked when they're no longer needed.

Encryption

Our baseline for the systems we install: data encrypted in transit over TLS and at rest on disk. Encryption is the default, not an upgrade.

Backups & recovery

A backup you've never restored is a hope, not a control — so encrypted backups on a schedule and a restore we've actually tested are part of standing a system up, not an afterthought.

Audit logging

We build systems so privileged and security-relevant actions are logged — there should be an answer to "who did what, when," not a guess.

Secure development

Our own delivery already works this way: every change goes through review on a branch, automated tests, dependency and secret scanning, and a green pipeline before it ships — never a direct push to production.

YOUR DATA

It's yours. We treat it that way.

We collect what we need

Lead and client data is limited to what the work requires. We don't hoard data we have no use for.

You can get it back — or have it removed

Client data can be exported, and deletion requests are honored by removing or anonymizing your records.

No selling your data

Your data is used to do the work you hired us for. It is not sold, and it is not handed to advertisers.

Have a security question?

Due-diligence questionnaire, data-handling specifics, or anything else — ask and we'll give you a straight answer.

Ask a security question