Security & compliance

Single-tenant when it matters. Auditable always.

Kerf deploys to manufacturers handling production-sensitive, ITAR-controlled, and HIPAA-adjacent technical data. Our security posture is built for those buyers, not retrofitted for them.

Compliance posture

SOC 2 Type II

In audit · Q3 2026 expected

Auditor: [REDACTED — placeholder]. Trust services criteria: Security, Availability, Confidentiality. Bridge letter available on request.

ISO 27001

In audit · Q4 2026 expected

Registrar: [REDACTED — placeholder]. ISMS scope: Kerf platform, supporting services, and corporate operations.

NIST 800-171

Compliant deployment

110-control alignment for handling Controlled Unclassified Information (CUI). SSP available under mutual NDA. CMMC Level 2 path on roadmap.

ITAR-aware

Single-tenant US-only deployment

For customers handling ITAR-controlled technical data: dedicated VPC, US-only data residency, US-person-only support, no foreign-national access. Registration: [REDACTED].

GDPR + DPA

DPA-ready

Standard contractual clauses · subprocessor list maintained · DPIA support · data subject request workflow.

BAA-ready

For medical-device customers

BAAs supported for medical-device CMs handling protected technical data. Encryption at rest, TLS 1.3 in transit, full audit-log retention.

Identity, access, and audit

  • SSO/SAML 2.0 · Okta, Microsoft Entra, Google Workspace, Auth0, Ping
  • SCIM 2.0 provisioning · automated user lifecycle
  • Role-based access control · least-privilege by default; per-agent and per-data-domain scoping
  • Audit-log export · streaming to Splunk, Datadog, or your SIEM of choice
  • BYOK / customer-managed keys · AWS KMS, GCP KMS, customer-controlled key rotation
  • VPC-private deployment option · for ITAR-aware and CUI-bearing customers
  • Pen-test cadence · annually by an independent third party. Latest report under NDA.

Data handling

What we do with your data. Customer data — RFQs, BOMs, NCRs, supplier correspondence — is processed by your dedicated agent instance and stored in your tenant only. We do not train models on customer data. We do not move data across tenant boundaries. We do not sell or share customer data with third parties.

Subprocessors. Current list maintained at /security/subprocessors (placeholder). Notification of changes 30 days in advance.

Incident response. 24-hour SLA for customer notification on confirmed security incidents. Quarterly tabletop exercises. Status page at status.kerf.com (placeholder).

For your security team

Security questionnaire (CAIQ-Lite, SIG-Lite), pen-test report, SOC 2 bridge letter, SSP, subprocessor list, network diagram — available under mutual NDA. Email security@kerf.com.