Security
How K2A Solutions LLC protects the data customers entrust to us. We aim to be honest about what we do today and what we are working toward, rather than overstating our posture.
On this page
1. Hosting and infrastructure
Production systems run on Hetzner Cloud, a German infrastructure provider. Each customer's AI Operating System runs on a dedicated virtual private server, isolated from other tenants at the host level. The default hosting region is selected based on customer location and procurement preference; United States customers may request U.S.-region hosting where available.
Cloudflare provides DNS, content delivery, and edge security for the K2A marketing site and customer subdomains. The Vercel platform serves our static marketing pages.
2. Encryption
- In transit. All connections to K2A services use TLS 1.2 or higher. HTTPS is enforced on all production endpoints. Connections between K2A services and our sub-processors (model providers, payment processor, email delivery) use TLS over the public internet.
- At rest. Customer data stored on K2A-managed servers is encrypted at rest using AES-256 at the disk level. Database files inherit this protection.
3. Access control
- Production server access is restricted to named K2A personnel.
- Server access requires SSH key authentication; password authentication is disabled.
- K2A operates on a least-privilege basis: personnel receive only the access required to perform their role.
- Production access is logged. Logs are reviewed periodically and on incident.
4. Authentication
Customer accounts in the K2A Operating System are protected by password authentication with industry-standard hashing. We are evaluating SSO and additional MFA options as part of the product roadmap. Customers concerned about specific authentication requirements should contact us before starting service.
5. Tenancy and isolation
K2A's architecture places each customer on a separately provisioned virtual private server. Customer A's data is not co-resident on the same server, database, or filesystem as Customer B's data. This eliminates a class of cross-tenant data-leak risks that affect shared-database SaaS products.
6. Sub-processors
K2A engages the following sub-processors to deliver the Service. Each is bound by a contract that restricts use of customer data to providing services to K2A. Where applicable, K2A relies on the sub-processor's own published security and privacy commitments in addition to its contract.
| Sub-processor | Purpose | Region |
|---|---|---|
| Hetzner Online GmbH | Server hosting and infrastructure | Germany / United States, per tenant |
| Cloudflare, Inc. | DNS, CDN, edge security | Global edge network |
| Vercel Inc. | Marketing site hosting | United States |
| Anthropic, PBC | AI model inference | United States |
| Stripe, Inc. | Payment processing | United States |
| Resend | Transactional email delivery | United States |
| Google LLC (Workspace) | Internal email, document storage, calendars | United States |
| HighLevel Inc. (GoHighLevel) | Customer relationship management | United States |
| Telegram FZ-LLC | Internal operator notifications | International |
We will provide at least ten (10) business days' notice to customers under a Data Processing Agreement before adding a new sub-processor that processes customer personal data. Customers who object to a new sub-processor on reasonable grounds may terminate as set out in their agreement.
7. Backups and recovery
We take periodic snapshots of customer-tenant infrastructure. Backups are retained for a rolling window appropriate to the customer's tier of service. Backup recovery is tested periodically.
K2A does not currently offer a contractual recovery time objective (RTO) or recovery point objective (RPO). Customers with specific RTO/RPO requirements should contact us before starting service.
8. Incident response
K2A maintains an internal incident response process for security events. In the event of a confirmed personal information security incident affecting customer data:
- We will begin internal triage and containment promptly upon confirmation.
- We will notify affected customers without undue delay and in any event within seventy-two (72) hours of confirmation, providing the information required by applicable law and the affected customer's Data Processing Agreement.
- We will notify regulators in accordance with applicable law, including the New York Attorney General, the New York Department of State, the New York State Police, and the New York Department of Financial Services to the extent required by the New York SHIELD Act and related law.
- We will document the incident, root cause, remediation, and lessons learned, and apply remediations to reduce the likelihood of recurrence.
9. Vulnerability management
K2A monitors security advisories for the components of our stack, including operating system packages, runtime libraries, and the SDKs of our sub-processors. Critical patches are applied promptly. We respond to credible vulnerability reports submitted through our responsible disclosure channel.
10. Personnel
K2A personnel with access to customer data are bound by written confidentiality obligations. Personnel are required to use multi-factor authentication on accounts that provide access to production systems or to internal collaboration tools that store customer data.
11. Compliance posture
We will not claim certifications we do not hold.
- SOC 2. K2A is not currently SOC 2 certified. As our customer base and revenue grow, we will scope and pursue SOC 2 Type I and Type II.
- ISO 27001. Not currently certified.
- HIPAA. K2A is not configured today to support HIPAA-regulated workflows. We do not currently sign Business Associate Agreements. Healthcare clients should not place protected health information into the Service.
- FedRAMP. Not in scope.
Customers running formal vendor reviews are welcome to send us a security questionnaire at security@k2asolutions.com; we will complete it candidly within a reasonable timeframe.
12. Payment data and PCI
K2A uses Stripe to process payment cards. Card data is collected and stored by Stripe; K2A's systems never receive, store, or transmit raw cardholder data. Stripe is certified PCI DSS Level 1. K2A's PCI scope is correspondingly limited (we use Stripe-hosted checkout flows that keep us outside the cardholder data environment).
13. GDPR readiness
Although K2A's customers are United States-based today, our Data Processing Agreement is structured to be compatible with the General Data Protection Regulation. Standard Contractual Clauses are available on request for customers who require them. K2A makes no representation of GDPR certification (none exists under the regulation).
14. Responsible disclosure
If you believe you have found a security vulnerability in K2A's services, we want to hear from you. Email security@k2asolutions.com with a description of the issue, steps to reproduce, and any supporting material. We ask that you:
- Give us a reasonable opportunity to investigate and remediate before public disclosure
- Not access, modify, or delete data belonging to others
- Not perform actions that could degrade service availability for others
- Comply with applicable law
K2A does not currently operate a paid bug bounty program but will acknowledge good-faith reports and credit researchers who request it on a coordinated disclosure post.
15. Contact
Security inquiries: security@k2asolutions.com
General contact: team@k2asolutions.com
K2A Solutions LLC, New York, NY