Security
A Decision OS your auditors will love.
Decision data is unusually sensitive. Not because it is rich in personal information, but because it tells a story about how judgement is made inside a company. We treat that story as something to be protected and proven, not mined.
Encrypted everywhere
AES-256 at rest. TLS 1.3 in transit. Each decision receipt is signed on its own. Any change breaks the seal.
Locked down access
Access to live data is limited by role, time-limited and logged. No shared admin account. The founder included.
Your workspace stays separate
Each workspace is kept apart. No shared models are trained on your data. Your data is never used to improve another customer's product.
Built to stand up to a check
Every decision Kauzio makes gets a signed receipt. Handy for your board, an audit, a regulator, or your own peace of mind six months from now.
Honest about incidents
Real incidents are reported in writing to affected workspaces within 72 hours. We publish the write-up here, with names removed.
SOC 2 controls in progress
SOC 2 Type II controls are in progress, aligned to the Trust Services Criteria and built in from day one so a future audit can move quickly.
Cryptographic integrity
Signed Decision Certificates
Every decision the platform issues generates a DecisionCertificate with a unique, human-readable number in the form KZ-YYYY-NNNNNN. The certificate is the canonical, durable record of what was decided, by whom, on what evidence, and when.
Certificate content is canonicalised to JSON, hashed with SHA-256, and signed using HMAC-SHA256 with a dedicated server-side signing key. Key management is documented in our internal runbook.
Each outcome event in the life of a decision (issued, 30-day check-in, 90-day check-in, 365-day check-in) is signed and appended to the certificate as a verifiable chain: every event's signed payload includes the signature of the event before it. Editing or removing an event in the middle breaks every link after it, which makes the history tamper evident, not just the original record.
The public verify endpoint at /api/v1/public/verify/{certificate_id} returns the original certificate plus its full signed history. Anyone with the link can verify any event without an account. See a live sample at /verify/sample.
Key rotation policy
The certificate signing key is controlled entirely via environment variable and is rotated on a documented cadence. The schedule is documented internally and published in our security policy on request. Old certificates remain verifiable against the key they were signed with, so rotation never invalidates history.
Audit and proof
Because every certificate event is signed and chained, the certificate history is tamper evident by construction — anyone can re-verify it from the public link without trusting us. (Our internal application audit log is a separate, conventional database table; the cryptographic guarantees described here apply to decision certificates and their outcome events.)
Regulators, auditors, and accountants can re-verify any certificate at any time using the public endpoint. The verify URL is shareable. you can paste it into a board pack, a tender response, or an audit working paper, and the reviewer can check it themselves in seconds.
That is what we mean by defensible by design. The proof travels with the decision.
Security, honestly stated
Kauzio was founded in Nottingham in November 2025, and we earn certifications before we claim them. What we have today is real: UK GDPR alignment, a clean architecture, written controls, a dated incident response policy, encryption in transit and at rest, and an audit log for every signed decision.
If you need a vendor security questionnaire completed before you can adopt the product, write to contact and we will turn it around quickly. We would rather be slow on hype and quick on paperwork than the other way round.
Reporting a vulnerability
If you believe you have found a security issue, please email security@kauzio.com. We acknowledge within one working day and aim to triage within 72 hours. We do not currently run a paid bounty programme; we do publicly credit researchers, with consent, in our post-mortems.