Kliper holds the most sensitive thing a QSA touches — evidence of how money is protected. Isolation, encryption, and a complete audit trail aren’t features here; they’re the foundation.
Every firm’s ROCs, evidence, and prompts live in a logically isolated store. Retrieval can only cross within the boundary of your engagement.
TLS 1.2+ everywhere; data is encrypted at rest with AES-256.
Who did what, when — including every Cortex action. Exportable audit logs on Team and above for your own evidence.
Cortex is retrieval, not training. It reads your past ROCs, evidence, and the framework text to draft — and nothing of yours is ever used to train shared models or improve another customer’s results.
Role-based access and mandatory MFA for all Kortlabs staff. Our private infrastructure is reached only through Zero Trust network access (Twingate); production access is logged and time-boxed. SSO/SCIM is on the roadmap for Team and above.
Continuous dependency scanning, vulnerability remediation SLAs, and alerting on anomalous access.
A documented incident response plan and a responsible-disclosure channel at [email protected]. We notify affected tenants promptly.