All systems operational
Trust Center
Security and compliance documentation for healthcare organizations evaluating Kustode.
HIPAA
Compliant
SOC 2 Type II
Certified
HITECH
Compliant
Security Controls
Data encrypted at rest
AES-256Data encrypted in transit
TLS 1.3Multi-factor authentication
Required for all usersRole-based access control
Least-privilegeTenant data isolation
Continuously testedPHI audit logging
Immutable, 6-year retentionAutomated incident response
24-hour breach notificationData residency
United States onlyBackup & recovery
Continuous with point-in-time restoreVulnerability management
Continuous automated scanningDocuments
Request accessSOC 2 Type II Report
Full audit report covering all five trust service criteria.
Business Associate Agreement (BAA)
Standard BAA template executed with every customer.
Penetration Test Summary
Latest third-party penetration test executive summary.
Information Security Policy
Security controls, risk management, and governance.
Incident Response Plan
Detection, containment, recovery, and notification procedures.
Subprocessor List
Complete list of third-party vendors processing data.
FAQ
Does Kustode sign BAAs?
Yes. We execute a Business Associate Agreement with every customer before any PHI is processed.
Where is my data stored?
All data is stored in the United States within HIPAA-eligible cloud services. Data never leaves the country. Each customer's data is logically isolated at the database layer.
Can I get a copy of the SOC 2 report?
Yes. Our SOC 2 Type II report is available under NDA. Contact security@kustode.com to request access.
What happens during a security incident?
Our team is alerted automatically. For breaches involving PHI, affected customers are notified within 24 hours per HIPAA breach notification requirements.
Does Kustode support SSO?
Yes. We support SAML 2.0 and OpenID Connect for single sign-on. Available on all plans.
Questions?
Our security team is available to answer questions and support your compliance review.