Security & IT

Built for the
Head of IT.

Self-hosted, non-root, no phone-home. Here's everything your security and infrastructure teams need to sign off Kilter.

What you're evaluating
Before Kilter

The daily IT loop

  • 06:00 — extract scripts run by hand against the core
  • Ops finds a file missing, wrong-dated, or for the wrong account
  • The recon tool of record (Corona or equivalent) ingests it
  • Audit asks for who decided what, and when
With Kilter

Step one disappears

  • Core Pull reads the GL extract straight from your core
  • SFTP / IMAP auto-pull feeds the scanner — no hand-carried files
  • Engine proposes matches; the human confirms or rejects
  • Every decision is sealed in a tamper-evident audit log
Security posture

Security-reviewed, hardened, audit-ready.

Mandatory TOTP on every login

Microsoft / Google Authenticator out of the box; pair the optional AD / LDAPS layer for full password-plus-TOTP MFA. A replay cache blocks 30-second code reuse.

Non-root, read-only rootfs

Runs as UID 10001, all Linux capabilities dropped, no-new-privileges enforced. Only mounts are writable.

Encrypted at rest

TOTP secrets + SMTP creds protected with Fernet (AES-128-CBC + HMAC-SHA256). The key lives in your secret manager.

Tamper-evident audit log

Every login, upload, match, dispute and export — UTC-stamped, blocked from UPDATE/DELETE by DB triggers, and sealed under chained SHA-256 anchors. A verify endpoint catches edits made even by direct DB access.

PCI-DSS scope reduction

Full PAN never persists — masked to first6 + last4 at the parser seam. No SAD accepted; free-text redacted on ingest.

Self-hosted. No phone-home.

Runs on your VM or private cloud. No telemetry, no update checks, no data leaves your infrastructure.

Runtime
Python 3.13 · FastAPI · single-process uvicorn
Database
SQLite (WAL, hot-backup) default · bundled PostgreSQL (MVCC) for scale
Intake
Folder drop · SFTP / IMAP auto-pull · Core Pull (any DB)
Languages
English · French (in native-reviewer pilot)
UI
Server-rendered Jinja2 — no SPA, no JS framework dependency
Container
Non-root UID 10001 · read-only rootfs · caps dropped
Outbound
Only Teams (443) + SMTP (587) if you enable alerts
Inbound
One HTTPS port you control. Default-disabled /docs & /openapi
The IT decision

What your team is asked to evaluate.

Security posture

Container hardening, MFA, encryption, audit immutability — review against your CIS baseline.

Deployment fit

Single-process FastAPI on one VM. Docker or systemd. No external services required to run.

Identity integration

Optional AD / LDAPS password layer; TOTP remains the second factor. Maker/checker role model.

Core connectivity

Optional Core Pull add-on reads GL extracts straight from Oracle / MS-SQL / Postgres / MySQL.

Data residency

Everything stays on your infrastructure. You hold the encryption key and the database.

Commercial terms

Per-capacity licence, unlimited users, proprietary licence. Pilot fee credits to Year 1.

Low-risk, reversible

A four-week IT pilot.

Week 1

Stand up

Deploy the container on your VM, enrol TOTP and wire AD/LDAP for full MFA. No data leaves the box.

Week 2

Author templates

Map your statement and GL-extract formats with the BYO CSV/XLSX wizard. Bind them to accounts.

Week 3

Run in parallel

Reconcile alongside your tool of record. Compare break counts and decisions, side by side.

Week 4

Cut over

Sign off success criteria pinned up front. Convert — or walk away. The pilot fee credits to Year 1.

Want the full IT briefing?

We'll walk your security and infrastructure teams through the threat model, deployment, and a parallel-run pilot on your own VM.

Request the briefing