Kletraq — trust, security, and data protection

SECURITY CONTROLS

Six invariants the platform enforces.

01

Transport encryption

TLS 1.3 enforced on every API surface and connector. HSTS preload, certificate transparency monitoring. No legacy cipher suites.

TLS 1.3 · HSTS · CT

02

Storage encryption

AES-256-GCM at rest across the primary Postgres, object storage, and audit-log archive. Per-tenant row-level security policies enforce isolation inside the shared database.

AES-256-GCM · RLS · per-tenant

03

Identity + access

TOTP authenticator MFA mandatory for admin and compliance-officer roles (aligned with NDPA 2023 §39, CBN cybersecurity framework, GDPR Art. 32, SOC 2 CC6.1). Role-based access control: admin · compliance officer · staff. Service-role tokens never touch the browser.

TOTP · RBAC · least privilege

04

Audit trail

Every consequential action is sha256-signed and append-only. Audit logs retain user, organization, IP, agent, and decision details. No mutation, no soft-delete bypass — auditors get the same trail you do.

sha256-signed · append-only

05

Data residency

Production data lives in regional Postgres replicas. Demo and trial environments are isolated branches with no shared state. Cross-region replication only by explicit request.

regional · branch-isolated

06

Vulnerability management

Snyk Code (SAST) + Snyk Open Source run on every commit and on a daily schedule against main. Critical and high severity CVEs block merge.

SAST · SCA · merge-blocking

BUILT AGAINST

The regulatory regimes Kletraq is architected for.

SOC 2 Type II AICPA Trust Services Criteria — security, availability, confidentiality Universal procurement signal · 80+ controls mapped
ISO/IEC 27001 Information Security Management System (Annex A controls) Annex A · 93 controls mapped
CBN Cybersecurity Framework CBN risk-based cyber controls (Significant Financial Institution baseline) 142 controls mapped · SFI baseline
GDPR / UK DPA 2018 EU + UK data protection — controller / processor obligations, DSAR, breach Built-in workflows · 60+ controls mapped
NDPA / GAID 2025 Nigerian Data Protection Act + General Application + Implementation Directive 88 controls mapped · breach + DSAR automation
CCPA / CPRA California consumer privacy — opt-out, deletion, data-sale disclosure 34 controls mapped · request routing
POPIA South African Protection of Personal Information Act 46 controls mapped
FATF Recommendations Global STR / SAR / AML backbone (informs national filings) Mutual-evaluation-aware
BSA / FinCEN SAR US Bank Secrecy Act suspicious-activity reporting Schema + filing automation · 28 controls
NFIU STR 24-hour suspicious transaction reporting (NG) Schema + filing automation · 22 controls
EU 6AMLD Sixth Anti-Money Laundering Directive (predicate offences, liability) 38 controls mapped
EU DORA Digital Operational Resilience Act — incident reporting, ICT-TPRM, resilience testing Built-in workflows · 72 controls mapped
NIS2 EU Network and Information Security Directive 2 — critical infrastructure 24h incident clock · 54 controls mapped

SUB-PROCESSORS

Third parties with access to customer data.

Transparency is a GDPR Art. 28 requirement, an NDPA §26 requirement, and a procurement-checklist item for every regulated buyer we onboard. This is the complete list. Updates ship as commits to this page — subscribe to changes via the GitHub feed.

Sub-processor	Purpose	Region	Policy
Supabase	Application database (Postgres), authentication, object storage, edge functions	EU / US (regional)	Privacy →
Vercel	Application hosting, CDN, preview deployments	Global edge	Privacy →
Resend	Transactional email (workspace invites, MFA enrollment, alerts)	EU / US	Privacy →
Smile Identity	KYC verification — BVN, NIN, liveness checks	Nigeria	Privacy →
Mono	Open Banking — account verification, transaction sync	Nigeria	Privacy →
ComplyAdvantage	Sanctions, PEP, and adverse-media screening	UK / EU	Privacy →
Anthropic	LLM inference for Kletraq Ava and agent pipelines (no model training on data)	US	Privacy →
GitHub	Source control + CI/CD (no customer data)	US	Privacy →

CERTIFICATIONS + ATTESTATIONS

Where we are on third-party validation.

We are deliberate about which audits we pursue and when. The schedule below reflects the current state — no aspirational badges. Requests for the latest audit reports or the security questionnaire short-form go through procurement contact below.

SOC 2 Type II Audit engagement scoped · evidence collection in progress
ISO/IEC 27001 On Phase 3I roadmap — gap analysis pending
NDPA Compliance Attestation Internal mapping complete · third-party attestation Q3 2026
CBN Cyber Framework Self-Assessment Internal mapping complete (SFI baseline)

INCIDENTS + UPTIME

Operational transparency.

A public status page (status.kletraq.com) is on the roadmap and will report real-time uptime for the application, API, and each integration partner. Until then, security incidents and major outages are disclosed to affected customers within 72 hours (aligned with GDPR Art. 33, NDPA §40) — directly and via the audit pack.

SLA · 99.5% (target) · status page Q3 2026

PROCUREMENT + SECURITY

Talk to compliance engineering.

For security questionnaires, DPA requests, sub-processor change subscriptions, or an audit-pack walkthrough — one inbox, monitored.

SECURITY@KLETRAQ.COM REQUEST DPA

How Kletraq protects compliance data