Trust & Compliance

Compliance

We take security and compliance seriously. This page details our certifications, security practices, and regulatory commitments.

Request Compliance Docs Security Overview

Certifications & Compliance

🔐

SOC 2 Type II

✓ Certified

Service Organization Control 2 - Security, Availability, Processing Integrity, Confidentiality, and Privacy trust principles.

Annual audit covering all five trust principles
Continuous monitoring and evidence collection
Report available under NDA for enterprise customers

Valid until: December 2025

🇪🇺

GDPR

✓ Certified

General Data Protection Regulation - EU data protection and privacy regulation.

Data Processing Agreement (DPA) available
EU data residency option for enterprise
Right to erasure fully supported
Data portability API available

🌴

CCPA

✓ Certified

California Consumer Privacy Act - California data privacy requirements.

Consumer rights portal for CA residents
Do Not Sell My Personal Information honored
Transparent data collection disclosures

📋

ISO 27001

⏳ In Progress

International standard for information security management systems (ISMS).

Gap assessment completed Q4 2024
ISMS implementation in progress
Certification expected Q2 2025

🏥

HIPAA

📅 Planned

Health Insurance Portability and Accountability Act - US healthcare data protection.

Not currently HIPAA compliant
Roadmap item for healthcare vertical expansion
BAA available upon certification

Security Practices

Encryption

TLS 1.3 for all data in transit
AES-256 for data at rest
HSM-backed key management
Perfect forward secrecy

Access Control

Role-based access control (RBAC)
Multi-factor authentication required
Principle of least privilege
Just-in-time access provisioning

Infrastructure

SOC 2 certified cloud providers
Network segmentation and firewalls
Regular vulnerability scanning
Intrusion detection systems

Monitoring

24/7 security monitoring
Centralized log management (SIEM)
Real-time alerting
Incident response playbooks

Data Residency

Enterprise customers can choose their primary data region. All regions are backed by SOC 2 certified infrastructure.

United States

Default

AWS us-east-1 (Virginia)

European Union

AWS eu-west-1 (Ireland)

Asia Pacific

AWS ap-northeast-1 (Tokyo)

Audit History

Date	Type	Auditor	Result	Notes
November 2024	SOC 2 Type II	Third-party auditor	Unqualified opinion (clean)	Zero exceptions noted
August 2024	Penetration Test	Independent security firm	Passed	3 low findings remediated within SLA
June 2024	GDPR Assessment	Internal DPO + External counsel	Compliant	Annual privacy impact assessment
March 2024	SOC 2 Type I	Third-party auditor	Unqualified opinion (clean)	Initial Type I leading to Type II

Subprocessors

Third-party services that may process customer data on our behalf.

Last updated: December 2024. Enterprise customers are notified 30 days before subprocessor changes take effect.

Security Vulnerability Reporting

We appreciate security researchers who responsibly disclose vulnerabilities. Please report security issues to:

security@justkalm.com

We aim to respond within 24 hours and provide updates every 72 hours until resolution. We do not pursue legal action against researchers who act in good faith.

Need More Information?

Our security team is available to answer compliance questions, provide additional documentation, or discuss enterprise security requirements.

Contact Security Team Privacy Policy