Security is in
our DNA
We build a product that thousands of security teams trust. That means our own security posture has to be held to the highest standard — and we publish exactly how we do it.
Four security principles
Every control, every policy, and every architectural decision traces back to one of these.
Least Privilege
Every system, service, and human gets the minimum access required — nothing more. Access is granted explicitly and revoked immediately when no longer needed.
Defense-in-Depth
No single control is a silver bullet. We layer security controls so that the failure of any one layer does not expose the system as a whole.
Consistent Application
Security policies apply uniformly across all environments — production, staging, and development. There are no exceptions for speed or convenience.
Continuous Improvement
Threat landscapes evolve. Our security posture evolves with it — driven by red team exercises, post-mortems, and ongoing monitoring that never sleeps.
Security measures
Not policy documents — actual controls running in production, every day.
Data Encryption
- AES-256 encryption for all data at rest
- TLS 1.2+ enforced for all data in transit
- Encrypted database backups with isolated key management
- End-to-end encrypted secrets storage
Vulnerability Management
- Annual third-party penetration testing by certified firms
- Continuous automated vulnerability scanning across all surfaces
- Attack surface management with real-time exposure monitoring
- Bug bounty program for responsible disclosure
Infrastructure Security
- Isolated cloud environments per customer tenant
- Network segmentation with strict east-west controls
- Immutable infrastructure with signed container images
- Zero-trust network access via Tailscale
People, devices, and partners
Security extends to every device we touch and every vendor we trust.
MDM Enrolled Devices
All company endpoints are enrolled in Mobile Device Management. Disk encryption, remote wipe, and policy enforcement are non-negotiable.
Okta Identity Platform
Centralized identity management with SSO and MFA enforced across all internal tools. Privileged access is time-boxed and fully audited.
Risk-Based Vendor Evaluation
Every vendor handling Kwawrk data undergoes a structured risk assessment. Critical vendors are reviewed annually — or upon material change.
Security Awareness Training
All employees complete security awareness training at onboarding and annually. Phishing simulations run continuously to keep the team sharp.
Tailscale Zero-Trust Access
Production infrastructure is not publicly routable. All administrative access flows through Tailscale with device authentication and identity verification.
Your data is yours.
Full stop.
We don't monetize your data. We don't sell it, rent it, or use it to train third-party models. Every privacy commitment we make is backed by legal agreements and technical controls.
Read our Privacy PolicyPrivacy Shield Aligned
Our data handling practices align with international privacy frameworks including GDPR, CCPA, and applicable cross-border transfer mechanisms.
Regulatory Evaluation
Our legal and compliance teams continuously evaluate evolving data protection regulations to ensure we meet or exceed requirements in every jurisdiction.
Documentation & Audit Trails
All data processing activities are documented. Customers receive data processing agreements and can request processing records at any time.
Questions about our security?
Our security team is available to walk you through our controls, share audit reports, and answer any technical questions.