Security

Enterprise security designed into the platform — not bolted on.

We follow SOC 2 control procedures, store all customer data in US-only infrastructure, and enforce RBAC throughout. Here's the detail that enterprise procurement teams ask for.

Audit status transparency: Kurios is designed with SOC 2 controls in mind — not currently SOC 2 audited. We document and follow the procedures. Operators in regulated verticals (utilities, transportation) requiring an audited certification should plan for the SOC 2 audit window in their procurement timeline. We target audit completion in 2026 and will share documentation with prospects on request.

SOC 2 controls (pre-audit)

Designed with SOC 2 Type II controls in mind. We document and follow the procedures. Formal audit is on the 2026 roadmap — not currently certified. Regulated-vertical buyers should factor in the audit window during procurement planning.

Encryption

AES-256 at rest. TLS 1.3 in transit. Encryption keys rotated on schedule. Backups encrypted at the same standard.

Access control

Role-based access control (RBAC) throughout. SSO/SAML available on Enterprise tier. Audit log on every admin action.

Data residency

All customer data stored in US-only infrastructure. No cross-border transfer without explicit agreement.

Compliance Frameworks

Supported compliance frameworks for learning records.

When a DOT or OSHA audit hits, your completion records need to be defensible on the day of inspection — not reconstructed after. Here's what the Kurios audit trail covers.

OSHA training records — timestamped completion events with role and module detail
DOT driver qualification — structured audit trail exportable per FMCSA requirements
AICC / xAPI / SCORM audit trail — native completion record storage with immutable log
GDPR-aware data handling — EU workforce support available, data processing agreements provided on request

Infrastructure

How we operate the infrastructure.

Kurios runs on AWS infrastructure in US East and US West regions. Disaster recovery RTO is <4 hours, RPO is <1 hour for production data.

  • 99.9% uptime SLA (Enterprise tier)
  • Automated daily encrypted backups
  • Dependency patching on a 30-day cycle
  • Vulnerability scanning via automated tooling
  • Penetration test planned for Q3 2026

Access & Identity

Least-privilege access throughout.

Every Kurios employee has role-based access to production. No standing admin access. Emergency access is logged and reviewed.

  • SSO / SAML for Enterprise customer portals
  • MFA enforced on all internal admin access
  • RBAC: Manager / L&D Admin / Learner roles
  • Audit log: every admin action logged with timestamp

Questions about security? Talk to our team.

We'll share our security documentation package for procurement review.

Contact Us