The invariants we enforce

These are not aspirational. They are the schema. Break one in code and the test suite fails before it ships.

Tamper-evident audit log

Every change appends to a per-org hash-chained audit log, verified on a schedule. A broken link raises an alert, and even a compromised key cannot silently rewrite history.

Row-level security on every tenant table

Customers see only their own rows, fenced by row-level security on every tenant table. The boundary is probed continuously, so an isolation gap would surface long before production traffic could reach it.

Idempotency on every write

State-changing requests carry an idempotency key, so a replay inside a 24-hour window returns the original response instead of acting twice. A network blip cannot duplicate an invoice or a payment.

Period close is a database invariant

Writes into a closed accounting period raise an error at the trigger layer. Application code cannot bypass. Your financials stop moving when you say they stop.

Money as integer cents

Integer cents end-to-end. Half-even rounding. Tax rates snapshotted at issuance. Multi-currency from day one. Floating-point math never touches a dollar.

Capability gates per role

Granular, role-based capabilities gate every action. Each state-changing endpoint checks the caller's permission before it touches a row. The server is the authority; the UI is the convenience.

Operational practices

Standard practice for a SaaS that handles financial and operational data. Documented so customers know what to expect.

Encryption in transit

TLS 1.2 or higher on every connection. HSTS preload. No mixed content. Modern cipher suites only.

Encryption at rest

Disk encryption on the primary database. Sensitive columns slated for column-level encryption as the product matures.

MFA for staff users

TOTP-based multi-factor authentication. Required for platform admin actions. Available and strongly recommended for every staff user.

Secret handling

Privileged credentials live only in managed secret stores, never in the repository, and are rotated on a defined cadence.

Forward-only migrations

Every schema change is a new numbered migration. Nothing is edited in place. Recovery from a bad decision is always a new forward migration with an invariant precheck.

Continuous probing

A continuous cross-tenant probe matrix, audit-chain verifier, and idempotency cleanup. Green-gate or alert, never silent.

Data Processing Addendum

Enterprise customers can execute a DPA. Standard processor terms with US-only residency at launch. Email team@kitstak.com to request a draft.

Compliance roadmap

SOC 2 readiness work begins year two. Evidence collection (access reviews, log retention, change management) is documented from day one so the audit is a checkbox, not a rebuild.

Responsible disclosure

Found something? Email security@kitstak.com. We acknowledge within one business day and work in good faith with researchers.

Security review required before signing?

Send us your questionnaire or your DPA template. The fastest path to a yes is a real conversation with the founder.

Before we book

First, a few quick details

So the founder can tailor the conversation to what you run. Takes about 20 seconds.

We use this only to prepare for and follow up on your conversation. Prefer email? team@kitstak.com.