Tamper-evident audit log
Every change appends to a per-org hash-chained audit log, verified on a schedule. A broken link raises an alert, and even a compromised key cannot silently rewrite history.
Kitstak's security posture is what makes the product worth running on. The invariants below are enforced at the schema, not promised in a policy.
These are not aspirational. They are the schema. Break one in code and the test suite fails before it ships.
Every change appends to a per-org hash-chained audit log, verified on a schedule. A broken link raises an alert, and even a compromised key cannot silently rewrite history.
Customers see only their own rows, fenced by row-level security on every tenant table. The boundary is probed continuously, so an isolation gap would surface long before production traffic could reach it.
State-changing requests carry an idempotency key, so a replay inside a 24-hour window returns the original response instead of acting twice. A network blip cannot duplicate an invoice or a payment.
Writes into a closed accounting period raise an error at the trigger layer. Application code cannot bypass. Your financials stop moving when you say they stop.
Integer cents end-to-end. Half-even rounding. Tax rates snapshotted at issuance. Multi-currency from day one. Floating-point math never touches a dollar.
Granular, role-based capabilities gate every action. Each state-changing endpoint checks the caller's permission before it touches a row. The server is the authority; the UI is the convenience.
Standard practice for a SaaS that handles financial and operational data. Documented so customers know what to expect.
TLS 1.2 or higher on every connection. HSTS preload. No mixed content. Modern cipher suites only.
Disk encryption on the primary database. Sensitive columns slated for column-level encryption as the product matures.
TOTP-based multi-factor authentication. Required for platform admin actions. Available and strongly recommended for every staff user.
Privileged credentials live only in managed secret stores, never in the repository, and are rotated on a defined cadence.
Every schema change is a new numbered migration. Nothing is edited in place. Recovery from a bad decision is always a new forward migration with an invariant precheck.
A continuous cross-tenant probe matrix, audit-chain verifier, and idempotency cleanup. Green-gate or alert, never silent.
Send us your questionnaire or your DPA template. The fastest path to a yes is a real conversation with the founder.