Skip to main content
Security & trust

Built to pass your security review.

Kanonik holds your compliance record, so we hold ourselves to the bar you would hold any vendor that touches it. This page is for the person who signs off before you connect: what we protect, how we protect it, what we store, and who we rely on.

Reviewing us for a deal? Email [email protected] and we will answer your questionnaire directly.

Security posture

How your record is protected

The product is the protection. Every one of these is enforced by the system, not by policy alone.

A human approves every external write

Nothing reaches your record on the AI's say-so. Each change your AI proposes is checked by a server-side reviewer, then waits for a one-click approval from a real person on your side. The approval is single-use, time-limited, and signed. There is no path that skips it.

The reviewer runs on our servers, not in the chat

The check that decides whether a change is safe to apply runs inside our platform, server-side. The AI in your chat window cannot turn it off, talk it down, or route around it.

Your audit log is tamper-evident

Every change is recorded in an append-only log where each entry is cryptographically chained to the one before it and the chain is sealed with a FIPS 140-3-validated signing key. If anyone altered or removed a past entry, the chain would no longer verify, and you can run that verification yourself, offline, from any export.

Each workspace is cryptographically isolated

Your data is encrypted at rest with a key that belongs to your workspace alone, wrapped by a second key held in a dedicated secrets vault. Database-level row security keeps one workspace's data unreachable from another's, enforced at the data layer, not just in application code.

You bring your own AI model

Kanonik never hosts the AI doing your compliance work. You connect the model you already use through a standard, OAuth-protected connection. We never see your model provider's keys, and we never hold the credentials to your source systems. Your AI reaches those through its own connections, not ours.

Modern, validated cryptography end to end

Browser traffic uses TLS 1.3. Traffic between our internal services is mutually authenticated and encrypted. Sign-in uses OpenID Connect. Every signing, key-wrapping, and hashing step in a security-critical path uses FIPS 140-3-validated cryptography.

Data handling

What we store, and what we never touch

Kanonik stores the compliance record, not your evidence and not your systems. The distinction is deliberate.

What Kanonik stores

  • Your typed compliance model: policies, controls, risks, mappings, audit sessions, findings, and the like.
  • References to where your evidence lives (links and identifiers), not the evidence content itself.
  • The tamper-evident audit log of every proposal, review verdict, approval, and committed change.
  • Your workspace profile and the owner contact, encrypted with your workspace key.

What Kanonik never holds

  • Your AI model or its provider keys. You bring your own model.
  • Credentials to your source systems (code hosts, ticketing, identity, chat). Your AI reaches those through its own connections.
  • The raw contents of your evidence systems. We keep references, not copies.
  • Card details on our servers. Payment is handled by our payment processor, never stored by us.
Sub-processors

Who we rely on

Kanonik runs on a small, deliberate set of infrastructure providers. We keep this list current; material changes are communicated to customers in advance.

ProviderPurposeData
Oracle Cloud InfrastructureCloud hosting: compute, managed database, storage.Your compliance model and audit log, encrypted with your workspace key.
OpenBaoSecrets vault that holds the keys that wrap your workspace encryption.Encryption-key material only. No compliance content.
KeycloakSign-in and identity (OpenID Connect).Account identity: email and workspace membership.
StripePayment processing.Billing and card details, held by Stripe, never stored by Kanonik.

Your AI model provider is chosen and operated by you, not by Kanonik. Because you bring your own model, your model provider is your sub-processor, not ours. We never send your data to a model we host.

Residency & retention

Where your data lives, and for how long

Encryption & residency

Your workspace data is encrypted at rest with a key unique to your workspace and in transit with TLS 1.3. Data is hosted in our cloud provider's managed regions. If your review requires a specific region or a dedicated-tenancy arrangement, raise it with us before you sign, and we can scope it.

Retention

Your audit log is retained for seven years to meet the evidence window auditors expect, and it is append-only by design, so entries are never edited or deleted in place. If you close your workspace, we provide a full signed export of your record and then remove your data on the schedule set out in your agreement.

Data Processing Agreement

Sign a DPA before you connect

If you process personal or regulated data through your compliance program, you need a Data Processing Agreement in place. We make that a step in onboarding, not an afterthought.

Our standard DPA covers the roles of each party, the categories of data processed, our security commitments, sub-processor handling, and breach notification. Request a copy and we will send it for review and signature.

We are wiring an in-product e-signature step into onboarding. Until that lands, request and sign the DPA by email. Same document, same commitments.

On the roadmap

What we are building toward, stated plainly

We would rather you trust what we say than be impressed by what we imply. Here is what is planned but not yet in place.

  • SOC 2Not yet certified. Our controls are built to support a SOC 2 examination, and it is on our roadmap. We will not describe ourselves as SOC 2 certified until a report exists.
  • FedRAMP ModerateNot authorized. The platform is engineered to the FedRAMP Moderate standard from the ground up, and federal authorization is a deliberate, later-stage goal, not a claim we make today.
  • Framework coverageISO 27001:2022 is the framework loaded today. SOC 2 is the next framework we will add. We will not imply coverage of a framework your workspace cannot actually use.