§ Trust CenterCompliance · Architecture · Subprocessors · Security

ISO 27001 · 8 frameworks

Audit-ready by default.
Sovereign by architecture.

Trust isn't a marketing page. It's the architecture, the audit log, the evidence pack, and the list of every subprocessor we use. This is the index. Each section below links to the actual artifacts.

For active customers under NDA, full evidence packs, certificates, and pen test reports are available through your CSM.

Request audit pack →View security details

Compliance frameworks

ISO · GDPR · HIPAA · NDMO · BSP · EU AI Act · FedRAMP

Egress events

Validated quarterly across sovereign deployments

100%

Customer-owned data

We are processor, not controller

4×/yr

Pen tests

Independent · published to customers

§ 01 · The three pillarsEach links to the actual evidence · not promises

Three pillars.
Each with a real artifact behind it.

Compliance

Eight frameworks attested or in scope. Evidence pack auto-generated from the audit log, not hand-prepared. Annual surveillance for ISO. Custom framework mappings for sovereign deployments.

ISO 27001 · annual surveillance
GDPR · DPA + SCC
HIPAA · BAA on request
EU AI Act · high-risk class
NDMO · KSA classification
BSP Circular 1166 · banking
FedRAMP · Moderate (in process)

See the artifact →

Sovereign architecture

Air-gap is a deployment shape, not a feature flag. Same code, same APIs, just deployed inside your perimeter with zero egress. Per-tenant SSO, custom domain, audit log isolation.

Air-gapped · zero egress
Multi-tenant · per-org SSO
Custom domain per tenant
Audit log per tenant
Region-pinned data residency
Self-hosted models (open weights)
Offline updates via signed bundle
Customer-controlled keys (BYOK)

See the artifact →

Subprocessors

A small, vetted list of subprocessors. We notify customers before adding any new one that processes customer data. Sovereign tier removes most subprocessors entirely.

Cloud providers · region-pinned
Authentication · SSO providers
Email and notifications
Observability · self-hosted option
Payment · Stripe (commercial only)
DPA with all subprocessors
30-day notification on changes
Sovereign tier · zero subprocessors

See the artifact →

§ 02 · Quick accessThe artifacts auditors actually ask for

What auditors ask for.
Already on the shelf.

📋

ISO 27001 certificate

Public certificate available below. Full Statement of Applicability under NDA.

Download certificate →

🔐

Pen test report

Independent quarterly testing. Latest summary available; full report under NDA.

Request via CSM →

🌐

Sub-processors list

Current list available on request. Contact your CSM or reach out to request the full list.

Request via CSM →

🛡

Security whitepaper

Architecture, controls, encryption, and operations. PDF download.

Read whitepaper →

📜

Data Processing Agreement

Standard DPA aligned to GDPR Article 28. Custom DPAs available.

Request DPA →

§ 03 · FrameworksWhat we attest · what we're working toward

Where we are.
Where we're going.

Honest status. Frameworks we're attested for, frameworks in process, and frameworks that don't apply to a B2B platform with no payment processing.

ISO/IEC 27001

Global

Certified · annual

SINCE 2022

GDPR

EU + UK

Compliant · DPA + SCC

SINCE 2018

HIPAA

United States

BAA-ready

SINCE 2024

EU AI Act

European Union

High-risk class · ready

SINCE 2025

NDMO

Saudi Arabia

Compliant · classification

SINCE 2023

BSP Circular 1166

Philippines

Compliant · banking AI

SINCE 2024

FedRAMP Moderate

US Federal

In process · Q3 2026

SINCE 2026

ISO 42001 (AI MS)

Global

Certification target · 2026

SINCE 2026

PCI DSS

Global · payments

N/A · we don't process payments

Need a framework not listed here? Sovereign deployments support custom framework mappings. Talk to us about custom compliance →

§ 04 · Get the evidence

Don't take our word.
Audit the artifacts.

Active customers get full evidence packs through their CSM. Prospects evaluating Katonic for a regulated workload can request the relevant subset under a mutual NDA. Auditors and regulators contact us directly.

Request evidence pack →View security details

§ Trust CenterCompliance · Architecture · Subprocessors · Security

ISO 27001 · 8 frameworks

Audit-ready by default.
Sovereign by architecture.

Trust isn't a marketing page. It's the architecture, the audit log, the evidence pack, and the list of every subprocessor we use. This is the index. Each section below links to the actual artifacts.

For active customers under NDA, full evidence packs, certificates, and pen test reports are available through your CSM.

Request audit pack →View security details

Compliance frameworks

ISO · GDPR · HIPAA · NDMO · BSP · EU AI Act · FedRAMP

Egress events

Validated quarterly across sovereign deployments

100%

Customer-owned data

We are processor, not controller

4×/yr

Pen tests

Independent · published to customers

§ 01 · The three pillarsEach links to the actual evidence · not promises

Three pillars.
Each with a real artifact behind it.

Compliance

Eight frameworks attested or in scope. Evidence pack auto-generated from the audit log, not hand-prepared. Annual surveillance for ISO. Custom framework mappings for sovereign deployments.

ISO 27001 · annual surveillance
GDPR · DPA + SCC
HIPAA · BAA on request
EU AI Act · high-risk class
NDMO · KSA classification
BSP Circular 1166 · banking
FedRAMP · Moderate (in process)

See the artifact →

Sovereign architecture

Air-gap is a deployment shape, not a feature flag. Same code, same APIs, just deployed inside your perimeter with zero egress. Per-tenant SSO, custom domain, audit log isolation.

Air-gapped · zero egress
Multi-tenant · per-org SSO
Custom domain per tenant
Audit log per tenant
Region-pinned data residency
Self-hosted models (open weights)
Offline updates via signed bundle
Customer-controlled keys (BYOK)

See the artifact →

Subprocessors

A small, vetted list of subprocessors. We notify customers before adding any new one that processes customer data. Sovereign tier removes most subprocessors entirely.

Cloud providers · region-pinned
Authentication · SSO providers
Email and notifications
Observability · self-hosted option
Payment · Stripe (commercial only)
DPA with all subprocessors
30-day notification on changes
Sovereign tier · zero subprocessors

See the artifact →

§ 02 · Quick accessThe artifacts auditors actually ask for

What auditors ask for.
Already on the shelf.

📋

ISO 27001 certificate

Public certificate available below. Full Statement of Applicability under NDA.

Download certificate →

🔐

Pen test report

Independent quarterly testing. Latest summary available; full report under NDA.

Request via CSM →

🌐

Sub-processors list

Current list available on request. Contact your CSM or reach out to request the full list.

Request via CSM →

🛡

Security whitepaper

Architecture, controls, encryption, and operations. PDF download.

Read whitepaper →

📜

Data Processing Agreement

Standard DPA aligned to GDPR Article 28. Custom DPAs available.

Request DPA →

§ 03 · FrameworksWhat we attest · what we're working toward

Where we are.
Where we're going.

Honest status. Frameworks we're attested for, frameworks in process, and frameworks that don't apply to a B2B platform with no payment processing.

ISO/IEC 27001

Global

Certified · annual

SINCE 2022

GDPR

EU + UK

Compliant · DPA + SCC

SINCE 2018

HIPAA

United States

BAA-ready

SINCE 2024

EU AI Act

European Union

High-risk class · ready

SINCE 2025

NDMO

Saudi Arabia

Compliant · classification

SINCE 2023

BSP Circular 1166

Philippines

Compliant · banking AI

SINCE 2024

FedRAMP Moderate

US Federal

In process · Q3 2026

SINCE 2026

ISO 42001 (AI MS)

Global

Certification target · 2026

SINCE 2026

PCI DSS

Global · payments

N/A · we don't process payments

Need a framework not listed here? Sovereign deployments support custom framework mappings. Talk to us about custom compliance →

§ 04 · Get the evidence

Don't take our word.
Audit the artifacts.

Request evidence pack →View security details

Audit-ready by default.Sovereign by architecture.

Three pillars.Each with a real artifact behind it.

What auditors ask for.Already on the shelf.

Where we are.Where we're going.

Don't take our word.Audit the artifacts.

Audit-ready by default.Sovereign by architecture.

Three pillars.Each with a real artifact behind it.

What auditors ask for.Already on the shelf.

Where we are.Where we're going.

Don't take our word.Audit the artifacts.

Audit-ready by default.
Sovereign by architecture.

Three pillars.
Each with a real artifact behind it.

What auditors ask for.
Already on the shelf.

Where we are.
Where we're going.

Don't take our word.
Audit the artifacts.

Audit-ready by default.
Sovereign by architecture.

Three pillars.
Each with a real artifact behind it.

What auditors ask for.
Already on the shelf.

Where we are.
Where we're going.

Don't take our word.
Audit the artifacts.