Trust & Compliance
Built to be
signed off.
Everything your procurement, risk and security teams need to evaluate Kilter — and the reason the highest-risk part of vendor due diligence simply doesn't apply to us.
There's no Kilter cloud to trust
Most vendor risk reviews exist to answer one question: what happens to our data in the vendor's environment? With Kilter, that question is moot. The software is self-hosted, holds no telemetry, and never calls home — so the certified-environment boundary stays entirely on your side of the line.
We don't operate infrastructure that touches your transactions. What we owe you instead is a secure product and the documentation to prove it — which is exactly what this page is for.
- Your data, your database, your encryption key
- Your VM, your network controls, your backups
- Your identity provider (optional AD / LDAPS)
- Our job: a hardened product + the evidence to assess it
What we hold ourselves to.
Data residency by design
Kilter runs on your VM or private cloud. Your reconciliation data never leaves your perimeter — there is no Kilter cloud to trust.
No telemetry, no phone-home
No analytics, no update checks, no outbound calls except the alert channels you explicitly enable (Teams 443, SMTP 587).
Encrypted at rest
TOTP secrets and SMTP credentials are sealed with Fernet (AES-128-CBC + HMAC-SHA256). You hold the key.
Mandatory MFA
TOTP on every login out of the box; pair the optional AD / LDAPS layer for full password-plus-TOTP authentication.
Tamper-evident audit
Every decision is UTC-stamped, blocked from edit/delete by DB triggers, and sealed under chained SHA-256 anchors with a verify endpoint.
Least privilege
Runs as a non-root container (UID 10001), capabilities dropped, read-only rootfs. Maker/checker role model inside the app.
Documents for your assessors.
We don't publish security internals openly, but we share them quickly with evaluating institutions. Ask and we'll route the right pack to your team.
Security & IT briefing
Architecture, threat model and hardening — the deep technical pack for your security team.
Vendor security questionnaire
Our completed SIG-style questionnaire covering SDLC, access, encryption and incident handling.
Penetration-test RFP & results
Scope for an independent test, and the latest report where one has been run for your deployment.
Data Processing Addendum
DPA for the limited personal data handled via the website and any support interactions.
Software Bill of Materials
Pinned dependency inventory (SBOM) so you can run it through your own SCA tooling.
Deployment & DR runbooks
Install, backup, business-continuity and incident-response runbooks for your operators.
Request any of the above at info@timelessnypotech.com.
How the software is built
- Dependencies pinned for reproducible, auditable builds
- Automated dependency CVE scanning (pip-audit) on every change
- Static application security testing (bandit) gated in CI
- Secrets kept out of source; encrypted at rest at runtime
- /docs, /redoc and /openapi disabled by default in production
- Rate-limited authentication with a TOTP replay cache
Where we stand — honestly
PCI-DSS scope reduction. Full PANs never persist — masked to first6 + last4 at the parser seam, with no sensitive authentication data accepted.
Independent penetration testing. Recommended annually and pre-go-live; we provide the RFP scope and support the exercise on your deployment.
SOC 2 / ISO 27001. Kilter is self-hosted, so there is no Kilter-operated production environment to certify — the certified boundary is yours. We map our controls to your framework and supply the evidence your auditors need.
Responsible disclosure
Found a security issue? Report it privately and we'll acknowledge it and work with you on a fix. Please don't test against live customer deployments.
Send us your security questionnaire.
We answer SIG / CAIQ-style questionnaires fast, and we'll walk your risk team through the threat model on a call.
Start the review