What's certified.
What isn't yet.

Plain-language security posture for Keystone. We list every control we run, label whether it's live, in progress, or planned, and call out the gaps so procurement teams don't have to guess.

1. Hosting & data residency

LIVEProduction data is hosted in AWS Ireland (eu-west-1, Dublin). No customer data leaves the EU without prior written consent (and we've never asked).

Each Keystone tenant runs in a logically isolated MongoDB database under a single regional cluster. Cross-tenant queries are impossible at the application layer (every query carries a `tenant_id` predicate enforced server-side; see audit-log section below).

2. Encryption

• LIVEAt rest: AES-256 via AWS KMS-managed keys. Backups encrypted with the same key hierarchy.
• LIVEIn transit: TLS 1.3 enforced on all public endpoints. HSTS preload-eligible. No TLS 1.0 / 1.1 fallback.
• LIVEField-level: Sensitive PII fields (customer delivery addresses, contact phones, supplier banking metadata) are encrypted application-side before reaching MongoDB.

3. Access controls

• LIVEPer-tenant role-based access (super_admin · admin · ops_user · viewer · demo).
• LIVEBcrypt password hashing (work factor 12) with timing-safe verification.
• IN PROGRESSMulti-factor authentication — available for super_admin accounts via TOTP; rollout to all roles tracked for Q3 2026.
• LIVESession tokens are JWTs with 8h idle expiry, signed with a per-deployment HS256 secret.
• LIVEFailed-login throttling and brute-force IP lockout (10 attempts / 15 min sliding window).

4. Audit trail

LIVEEvery state-changing API call is recorded into an immutable audit log: actor, tenant, action, resource, before/after delta, timestamp, source IP. The log is queryable from the Admin Console and exportable as signed PDF — this is what BRCGS Issue 9 §5.4 evidence looks like in practice. Status transitions on Traceability Events maintain their own status-history sub-log on top.

5. Certification status — the honest list

What we are NOT yet certified to:

• NOT CERTIFIEDISO/IEC 27001:2022 — alignment programme in progress; we map our controls to Annex A but have no third-party certificate. Marketing copy elsewhere on this site uses phrases like "aligned to ISO/IEC 27001:2022" — that means we follow the control framework, not that we hold the certificate.
• NOT CERTIFIEDNIS2 (EU Directive 2022/2555) — our customers in scope of NIS2 (essential or important entities) can rely on Keystone's tenant isolation, MFA roadmap and audit-trail controls to support their own obligations. CloudVoro itself is below the NIS2 size threshold; we are building toward readiness rather than holding any NIS2-equivalent attestation.
• PLANNEDUK Cyber Essentials / Cyber Essentials Plus — on the roadmap. Assessing body (IASME network) and confirmed date will be named here once scoped.
• NOT CERTIFIEDSOC 2 Type II — not on the 2026 roadmap. We can provide a security questionnaire instead.

What we ARE compliant with today:

• LIVEGDPR (Regulation (EU) 2016/679) — controller for site visitors, processor for tenant data. See Privacy Policy.
• LIVEIrish Data Protection Act 2018 — domestic implementation of GDPR.
• LIVEEU Regulation 178/2002 traceability requirements — Keystone's batch model is designed to evidence Art. 18 obligations end-to-end.

6. Data protection lead & ADPO membership

LIVECloudVoro is below the GDPR Art. 37(1) threshold that mandates a formally designated Data Protection Officer. We operate with a Data Protection Lead (Privacy Contact) who handles subject access requests and supervisory-authority correspondence, reachable at privacy@cloudvoro.com.

Our founder Asif Khan is a member of the Association of Data Protection Officers (ADPO) Ireland, which we maintain for professional development — not as a substitute for a formally appointed DPO. As an owner/director, Asif cannot also serve as CloudVoro's DPO under GDPR Art. 38(6) (conflict of interest). If our processing scale grows past the Art. 37 threshold or a customer's contract requires it, we will appoint an external DPO and disclose that change here.

7. Sub-processors & vendor risk

Limited, named sub-processors with EU-or-equivalent data-protection guarantees. The current list, contact addresses and processing purposes are kept on a dedicated page — /legal/sub-processors. Material changes are emailed to the primary tenant contact 30 days before they take effect, in line with Art. 28(2) GDPR.

8. Vulnerability disclosure

If you believe you've found a security vulnerability in Keystone, please write to security@cloudvoro.com with steps to reproduce. We acknowledge within 2 business days and aim to provide a fix or mitigation timeline within 10 business days. We don't run a paid bounty programme yet — we will name researchers publicly with permission and provide a written acknowledgement letter.

9. Backup & disaster recovery

• LIVEEncrypted MongoDB Atlas continuous backups, 30-day point-in-time recovery window.
• LIVERecovery Time Objective (RTO): 4 hours for full-region failure. Recovery Point Objective (RPO): < 1 minute under normal operation, ≤ 15 minutes worst case.
• IN PROGRESSCross-region warm standby (eu-west-2 London) on the 2026 H2 roadmap.

10. Incident response

We notify the primary tenant contact within 72 hours of confirming a personal-data breach, in line with Art. 33 GDPR. If you're a customer, the named contact for your tenant is recorded in your Master Services Agreement. Generic security notices land in your in-product Admin Console.

11. Customer responsibilities

Security is a shared model. The Customer is responsible for: choosing strong passwords / enabling MFA on super_admin accounts, granting least-privilege access via the Roles screen, keeping the tenant's contact list current, reviewing the audit log on a cadence appropriate to their certification scheme, and notifying us promptly of staff offboarding.