Compliance
SOC 2 TYPE II
✓ Certified
GDPR
✓ CompliantSecurity at a Glance
Data Encryption
Zero Trust Access
SOC 2 & GDPR
Endpoint Security
Network Protection
Internal Controls
Cloud Infrastructure
Product Integrity
App Security
Automated Code Analysis
Konecto integrates Azure Defender and GitHub Advanced Security into the development pipeline to perform continuous automated scanning of source code, open-source dependencies, and container images. Every code change is evaluated for known vulnerabilities before it can be merged or deployed. All proprietary platform code is maintained in GitHub with full version control history, enabling traceability of every change to a specific developer and supporting rollback capabilities when needed.
Secure Development Lifecycle (SDLC)
Konecto maintains a documented Systems Development Life Cycle (SDLC) with formal change management procedures covering change request, documentation, development, QA testing, UAT, and management approval before any migration to production. Development and testing environments are logically separated from production. No code reaches production without QA approval and documented sign-off. A Change Management Form is required for all application and infrastructure changes, ensuring full auditability of every modification to the platform.
AI-Specific Security Controls
The Konecto AI Core platform implements a dedicated layer of AI security controls including prompt-injection detection, hallucination-prevention guardrails, and approved-knowledge grounding to ensure AI Agents operate exclusively within customer-authorized documentation. Automated call termination and session controls activate when adversarial manipulation or suspicious activity is detected during AI Agent interactions. Sensitive data elements such as health-related information or government ID numbers are automatically redacted from recordings and transcripts through post-processing controls.
Data Security
Encryption in Transit and at Rest
Konecto encrypts all customer data in transit using HTTPS/TLS for all ingress connections to the platform. Data at rest — including interaction recordings, transcripts, knowledge bases, and customer metadata stored in Azure PostgreSQL and Azure Blob Storage — is encrypted using encryption capabilities provided by Microsoft Azure. Cryptographic keys and secrets are managed exclusively through Azure Key Vault, with access restricted to authorized service identities via Managed Identities, eliminating the use of stored credentials in application code.
Backups & Data Retention
Customer data is backed up on a scheduled basis and monitored by the DevOps team for completion and exceptions. Backup infrastructure is maintained within Microsoft Azure with physical access restricted according to Azure’s security policies. All backups are encrypted and access is restricted to key personnel. Data retention and disposal policies comply with customer contractual requirements and regulatory standards. Secure deletion procedures are executed upon customer request or contract termination, and backup integrity is verified through regular testing of restoration procedures.
Data Classification & Lifecycle Management
Konecto classifies all data according to sensitivity and business criticality into four categories: Customer Confidential (interaction data, PII of end-consumers, conversation history), Confidential (internal analytics, incident reports, risk assessments), Private (credentials, source code, cryptographic keys), and Company Data (public content). Data owners are responsible for ensuring appropriate protection controls are applied based on classification. All employees and contractors are required to handle customer data in accordance with applicable data protection regulations and customer agreements.
Access Control
Role-Based Access Control & Least Privilege
All access to Konecto’s systems is managed through Azure Entra ID with predefined roles including Developer, QA, DevOps/MLOps, and Cloud Admin — each with a specific and limited scope of permissions. New personnel receive access on a progressive basis following the principle of least privilege. All access requests are formalized by the AI Team Lead or Cloud Admin and require approval from company Owners before provisioning. Access reviews are conducted at least annually by senior technical leadership to verify that all active accounts and privileges remain aligned with current job functions.
Multi-Factor Authentication (MFA)
MFA is enforced without exception for all internal personnel accessing critical infrastructure, including the Microsoft Azure portal and the corporate VPN. All internal user accounts are managed through Azure Entra ID with MFA as a mandatory requirement. Customer access to the Konecto AI App is managed via Auth0 with strong password complexity requirements enforced. System-to-system programmatic access within Azure is secured using Managed Identities, eliminating stored credentials entirely. External service integrations are protected using Auth0-managed credentials.
Access Deprovisioning
When an employee or contractor relationship terminates, all access to in-scope systems, applications, and infrastructure is revoked within a 72-hour timeframe following the termination event. The deprovisioning process is executed through a documented termination checklist that ensures all system access is revoked, company property is returned, and ongoing confidentiality obligations are reinforced. Privileged access — including administrative accounts and production access — is reviewed monthly with particular scrutiny to prevent unauthorized retention of elevated permissions.
Endpoint Security
Device Inventory & Management
Konecto maintains a system inventory documenting all virtual machines, computers (desktops and laptops), and networking devices including device name, type, description, and owner. All personnel operate under Konecto’s Acceptable Use Policy, which defines appropriate use of company systems, email, internet access, and customer data, with violations subject to disciplinary action up to and including termination. The company maintains a network diagram documenting the topology of its infrastructure, updated as organizational changes occur.
Security Patch Management
The Cloud Engineer function is responsible for security patch management across all operating systems and dependencies. Security patch status is continuously monitored with expedited deployment tracked for critical patches. Azure Defender and GitHub Advanced Security provide integrated vulnerability scanning of code, dependencies, and container images on a continuous basis. Security findings are addressed through the formal incident response and change management process, with internal SLAs governing response timelines based on severity.
Background Verification
Background checks are performed for all employees and contractors as part of the hiring process, appropriate to their level of system access and customer data exposure. All personnel are required to sign Confidentiality and Non-Disclosure Agreements (NDAs) prior to receiving access to any systems or customer data. New employees complete a structured onboarding process including execution of confidentiality agreements, acknowledgment of security policies, security awareness training, and provisioning of system access based on approved access requests tied to their specific role.
Network Protection
PaaS Network Architecture & Firewall
Konecto operates on a Platform-as-a-Service (PaaS) architecture hosted on Microsoft Azure that provides an effective firewall around all application containers. The only permitted ingress is via HTTPS connections to designated web frontend endpoints, eliminating exposure of backend services to the public internet. The PaaS provider automates container provisioning and deprovisioning to match desired configurations — if an application container fails, it is automatically replaced regardless of whether the failure is at the application or hardware level, ensuring continuous availability.
Quarterly Vulnerability Scanning
Konecto engages an external security firm to perform quarterly vulnerability scans of the system and network to identify undetected security weaknesses across the production environment. The product engineering team responds to any issues identified through the regular incident response and change management process. In addition, automated vulnerability scanning executes on regular schedules internally via Azure Defender to continuously identify security weaknesses in systems, applications, and dependencies between quarterly external assessments.
SIEM & Continuous Security Monitoring
A Security Information and Event Management (SIEM) system continuously monitors security logs for suspicious activity, unauthorized access attempts, and security policy violations. The security team reviews SIEM alerts daily and investigates anomalies and potential security events. Infrastructure monitoring tools track system availability, performance metrics, and capacity utilization with automated alerting for anomalies. All production systems are monitored 24/7 to ensure AI Agents remain accessible and to detect and respond to security threats in real time.
Internal Controls
Security Awareness Training
Security awareness training is mandatory for all personnel during onboarding, covering information security policies, data protection requirements, phishing awareness, password security, and incident reporting procedures. Annual refresher training is required for all personnel with system access, reinforcing security best practices and updating personnel on emerging threats. Role-specific training is provided to Engineering, QA, and Operations personnel on secure coding practices, cloud infrastructure security, AI/ML security considerations, and platform-specific technologies. Training completion rates are monitored by management.
Security Policies & Code of Conduct
Konecto maintains a formally documented Code of Conduct that communicates company values, behavioral standards, and expectations for ethical conduct to all personnel, with specific responsibilities related to handling customer data, maintaining confidentiality, and reporting security concerns. An Acceptable Use Policy defines appropriate use of company systems, email, internet access, and customer data. All employees and contractors sign acknowledgment forms confirming they have received and understood the Employee Handbook and all security policies. Anonymous reporting mechanisms allow personnel to report suspected violations without fear of retaliation.
Security Incident Response
Konecto maintains a formal incident response plan guiding employees on reporting and responding to security incidents and data privacy events. Procedures are in place for identifying, reporting, and acting upon breaches. The CISO is responsible for security incident response coordination and customer notifications. In the event of a confirmed Security Incident, customers are notified without undue delay as defined in customer agreements. Critical and high-severity deficiencies are escalated immediately to the CISO and Executive Leadership. No significant security incidents occurred during the audit period covered by Konecto’s SOC 2 Type II report.
Infrastructure
Microsoft Azure Cloud Infrastructure
Konecto’s entire production infrastructure is hosted on Microsoft Azure, leveraging Azure Container Apps for serverless container runtime, Azure PostgreSQL for transactional data, Azure Blob Storage for unstructured data, Azure Redis for high-performance caching, Azure Key Vault for secrets management, and Azure Entra ID for identity and access management. Azure’s physical and environmental security protections — including restricted datacenter access, 24/7 physical security monitoring, fire suppression, and uninterruptible power supply — are reviewed by Konecto annually through attestation reports and risk analysis.
Business Continuity & Disaster Recovery
Konecto maintains business continuity and disaster recovery capabilities through Microsoft Azure’s multi-region infrastructure. The DevOps team is responsible for backup and disaster recovery operations, monitoring of system availability, and incident response for infrastructure and availability issues. The PaaS architecture automatically replaces failed containers regardless of failure type, ensuring service continuity. Management maintains an incident response plan and conducts capacity planning to support high availability. Azure’s complementary controls include datacenter power redundancy and environmental monitoring as documented in Konecto’s SOC 2 report.
Infrastructure as Code & CI/CD
All infrastructure changes are managed through documented SDLC and change management procedures. The DevOps team manages CI/CD pipelines and deployment automation, ensuring consistent, auditable, and repeatable deployments across environments. Development and testing environments are logically separated from production. Management approves all changes prior to migration to the production environment, with approvals documented in the ticketing system. Version control software maintains a full history of all code changes, enabling rollback capabilities and traceability of every modification to a specific developer.
Product Integrity
Audit Logging & Observability
Konecto implements deep system instrumentation through the AI Governance platform, providing comprehensive visibility into platform operations, infrastructure health, performance metrics, and security monitoring. Azure Analytics Logs serves as the centralized internal logs store. All production deployments are documented in the change management system with evidence of testing, approvals, and post-deployment validation. The SIEM system captures security events across all platform components and the security team reviews alerts daily. Audit logs are protected against unauthorized access and retained in accordance with Konecto’s data retention policies.
Secure API Integrations & SSO
Customer access to the Konecto AI App is managed via Auth0, an external identity platform that handles authentication and authorization of end-users with strong password complexity requirements. System-to-system programmatic access within Azure is secured using Managed Identities, while external integrations use Auth0-managed credentials. All API integrations with customer systems — including Salesforce, HubSpot, Genesys, Zendesk, SAP, and others — implement authentication and authorization controls for all system-to-system communications, maintaining data integrity across connected platforms.
Quality Assurance & Pre-Deployment Testing
The Konecto QA team conducts end-to-end testing and validation of all AI Agent configurations, integrations, and conversation flows prior to production deployment. Automated testing frameworks validate AI Agent behavior across diverse scenarios including edge cases and adversarial inputs. Sentry provides real-time error tracking and application observability in production. User Acceptance Testing (UAT) with customer stakeholders is required before go-live, with results documented alongside the associated change request. Post-deployment monitoring and quality assurance continue through the AI Governance platform’s observability tools.
The following reports and documentation are available to customers and qualified prospects. To protect sensitive security details, access requires identity verification and, in some cases, a signed NDA.
SOC 2 Type II