Security

Effective: see document

Security

Katharos Technologies, Inc.

Last Updated: March 6, 2026

At Katharos, security is foundational to everything we build. Our customers trust us with sensitive compliance data, and we take that responsibility seriously.

This page describes our security practices, certifications, and commitments.

Our Security Principles

  • Defense in Depth: Multiple layers of security controls
  • Least Privilege: Access limited to what's necessary
  • Encryption Everywhere: Data protected in transit and at rest
  • Transparency: Clear communication about our practices
  • Continuous Improvement: Regular assessments and updates

Infrastructure Security

Cloud Platform

Katharos is hosted on enterprise-grade cloud infrastructure:

ComponentProviderCertifications
Application HostingVercelSOC 2 Type II, ISO 27001
Primary DatabaseSupabase (AWS)SOC 2 Type II, HIPAA eligible
Vector DatabasePinecone (AWS)SOC 2 Type II
AI ProcessingAnthropicSOC 2 Type II

All infrastructure is hosted in the United States.

Network Security

  • All traffic encrypted using TLS 1.2 or higher (HTTPS)
  • Regular vulnerability scanning and penetration testing
  • DDoS protection through cloud provider
  • Web Application Firewall (WAF) protection

Data Protection

Encryption

Data StateMethod
In TransitTLS 1.2+ (HTTPS) for all connections
At Rest (Database)AES-256 encryption
At Rest (Vectors)Vendor-managed encryption
BackupsEncrypted using AES-256

Data Isolation

  • Each customer's data is logically isolated
  • Access controls enforced at the application and database level
  • API keys stored securely as server-side environment variables

Data Residency

All data is processed and stored in the United States. For customers with specific data residency requirements, please contact us to discuss options.

AI and Anthropic

How We Use AI

Katharos uses Claude, developed by Anthropic, for intelligent risk analysis. When you use our screening features:

  • Your queries and data are sent to Anthropic's API for processing
  • Claude analyzes the data and returns results to Katharos
  • Results are stored in your Katharos account

Anthropic's Security Commitments

Anthropic does not train on your data. Per Anthropic's commercial API terms:

  • Customer inputs and outputs are not used to train or improve models
  • Data is not shared with third parties
  • Anthropic maintains SOC 2 Type II certification

Our Prompt Security

  • System prompts are designed to prevent prompt injection attacks
  • Outputs are validated and sanitized before display
  • We monitor for anomalous AI behavior

Access Control

Authentication

  • Email-based authentication with secure session management
  • Role-based access control (RBAC) with four permission levels:
  • Admin: Full access, user management, workspace settings
  • Analyst: Create cases, run screenings, generate reports
  • Reviewer: View and comment on cases
  • Viewer: Read-only access
  • Session timeout and automatic logout
  • Future: SSO integration (SAML 2.0, OIDC) available for enterprise

Authorization

  • Workspace isolation: Users only see data in their workspace
  • Case-level permissions (coming soon)
  • API access controlled by scoped tokens

Audit Logging

What We Log

Every significant action is logged for security and compliance:

Event TypeData Captured
AuthenticationUser email, timestamp, IP address, user agent
Case ActivityUser, action, case ID, timestamp
ScreeningUser, entity screened, timestamp, results summary
Report GenerationUser, report ID, timestamp
Data ExportUser, data type, timestamp
Administrative ActionsUser, action, target, timestamp

Retention

  • Audit logs retained for 7 years
  • Logs are immutable and tamper-evident
  • Available for export upon request

Application Security

Secure Development

  • Security-focused code review process
  • Dependency scanning for known vulnerabilities
  • Regular security assessments
  • Secure coding guidelines followed

Vulnerability Management

  • Automated vulnerability scanning
  • Responsible disclosure program (see below)
  • Timely patching of identified vulnerabilities

API Security

  • All API endpoints require authentication
  • Rate limiting to prevent abuse
  • Input validation and sanitization
  • CORS restrictions

Compliance

Current Status

FrameworkStatus
SOC 2 Type IIIn Progress (Target: Q3 2026)
GDPRNot yet compliant
CCPACompliant
HIPAANot applicable (no PHI processed)

Data Processing Agreement

Enterprise customers requiring a Data Processing Agreement (DPA) can request one by contacting patrick@katharos.co.

Security Questionnaires

We can provide responses to:

  • SIG (Standardized Information Gathering) Questionnaire
  • CAIQ (Cloud Assessment Initiative Questionnaire)
  • Custom security questionnaires

Contact patrick@katharos.co for security documentation.

Incident Response

Our Commitment

In the event of a security incident affecting your data:

  • Identification: Security event detection via audit logging
  • Containment: Immediate action to limit impact
  • Investigation: Thorough root cause analysis
  • Notification: Affected customers notified within 72 hours
  • Remediation: Vulnerabilities patched and controls strengthened
  • Review: Post-incident analysis and improvement

Reporting an Incident

If you believe your account has been compromised or you've identified a security issue:

Email: patrick@katharos.co

Include:

  • Description of the issue
  • Steps to reproduce (if applicable)
  • Your contact information

Responsible Disclosure

We value the security research community and welcome responsible disclosure of vulnerabilities.

Scope

  • katharos.co and associated subdomains
  • Katharos web application
  • Katharos APIs

Out of Scope

  • Social engineering attacks
  • Physical attacks
  • Denial of service attacks
  • Third-party applications or services

How to Report

Email: patrick@katharos.co

Subject: [Vulnerability Report] - Brief Description

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any suggested remediation

Our Promise

  • We will acknowledge receipt within 48 hours
  • We will keep you informed of our progress
  • We will not pursue legal action against good-faith researchers
  • We will credit you (if desired) when the issue is resolved

Security FAQs

Does Anthropic train on my data?

No. Anthropic's commercial API terms explicitly state that customer inputs and outputs are not used to train models.

Where is my data stored?

All data is stored in the United States using enterprise-grade cloud providers (Supabase/AWS for database, Pinecone/AWS for vectors, Vercel for application hosting).

Can I export my data?

Yes. You can export your cases and reports within the application. For a complete data export, contact patrick@katharos.co.

Can I delete my data?

Yes. You can delete individual cases within the application. To delete your account, go to Settings and select "Close Account."

Do you support SSO?

SSO integration (SAML 2.0, OIDC with Okta, Azure AD, etc.) is available for enterprise customers. Contact patrick@katharos.co.

Do you have a SOC 2 report?

SOC 2 Type II certification is in progress with target completion in Q3 2026. Contact patrick@katharos.co for current security documentation.

Contact

Security Team: patrick@katharos.co

Privacy Inquiries: patrick@katharos.co

General Support: patrick@katharos.co