Security · Trust Portal

Security is the practice we sell — so we hold ourselves to it.

Most of our engagements involve regulated infrastructure. The security posture we bring to client work starts with the posture we hold ourselves to. This page documents that, so procurement teams and security reviewers can verify before reaching out.

Operating posture.

The controls and conventions that govern how we run our own infrastructure and how we handle anything you share with us.

Identity is the perimeter.

Universal MFA on every account we use. SSO consolidation across the SaaS tools that support it, so identity revocation is one action rather than forty. Access to anything customer-related is scoped to the people who need it for the engagement.

Encryption at rest and in transit.

TLS 1.2 minimum on every external endpoint. Customer-shared artefacts (questionnaires, evidence, design docs) live in encrypted stores. No PHI or production data leaves your environment to ours by default.

Workstation security as a baseline.

Full-disk encryption on every workstation. Operating systems kept current. Sensitive customer material is not cached to local disk where avoidable.

Vendor trust chain.

We vet every sub-processor against the same criteria we'd apply on your behalf. The full list of vendors that touch your data is published below — no hidden surface.

How we handle your data.

What we receive, where it lives during an engagement, and what happens to it when the engagement closes.

Minimum-necessary data.

We ask for only what the engagement requires. Production data, PHI, customer records — these stay in your environment. We work against scrubbed samples, synthetic data, or read-only access scoped to specific resources.

Documented retention.

Engagement artefacts (design docs, evidence, runbooks) are retained for the duration of the engagement plus a defined handoff window. After that, your election: returned, securely destroyed, or transferred to your own systems.

No training on your data.

Anything you share is used for the engagement only. We do not feed customer data into model training pipelines, demo decks, or marketing content. Anonymised case study use requires explicit written consent.

Sub-processors.

The third-party services that may process data on our behalf. We assess each one against the same security criteria we apply on your engagements.

Vendor Purpose Region
Cloudflare Static site hosting (Cloudflare Pages), DNS, edge security, bot protection Global edge
Mailgun Transactional email — contact form notifications + auto-confirmations US
GitHub Source control + version history for the site and engagement artifacts US
Google Analytics (gtag.js) + Workspace (operations email) US
Microsoft Microsoft Clarity (anonymised session analytics) US

Material changes to this list are surfaced here. If you need notification on new sub-processors as part of a DPA, we accommodate that — just specify it when we sign.

Agreements we'll sign.

We don't currently hold third-party certifications, and we don't claim ones we aren't pursuing. What we will execute with you, in writing, is below.

  • Available

    Business Associate Agreement (BAA)

    For engagements that involve HIPAA-regulated work, we execute a BAA before any PHI-adjacent access. Standard terms, redlines welcome.

  • Available

    Confidentiality / NDA

    Mutual NDAs executed before sensitive material is shared in either direction. We sign yours, or you sign ours.

Incident response.

What happens if we observe — or are notified of — a security event that touches your engagement.

01

Triage during business hours.

Any reported or detected event reaches a responsible engineer within one business hour. Reports submitted outside business hours are triaged the next morning unless flagged urgent.

02

Notify within 24 business hours.

If your engagement is potentially affected, you receive a written notification with what we know, what's still unknown, and what we're doing. We don't wait for the full picture to start the conversation.

03

Document and remediate.

Each incident is documented in a written timeline. Remediation is tracked against owners and dates. The post-incident summary is shared with affected customers.

04

Learn and adjust.

Material incidents update this page, the sub-processor assessment criteria, or the engagement playbook — whichever is appropriate. The change is visible to affected customers.

Documents available.

What we'll send to a procurement team that asks. If you need something not listed, ask — most reasonable requests have an answer.

Document How to request
Sub-processor list Public — this page is the source of truth
Business associate agreement (BAA) For healthcare engagements
Security questionnaire response On request — NDA preferred, not required
Report a security issue

Found something we should know about?

Email hello@kaansystems.com with "security issue" in the subject line and the details inside. We acknowledge within one business day, investigate, and follow up with a fix or an explanation. Coordinated disclosure welcomed — credit given on request.

Open a conversation