Security & Compliance

Enterprise security, built in from day one.

Kaizen runs on a hardened AWS stack with tenant isolation at every layer.

Tenant Isolation

Every tenant, fully separated.

database

Per-org Postgres schema

kz_<organization_id> — every query scoped to your tenant.

layers

Isolated DuckDB processing

Each organization's billing pipeline runs in its own DuckDB context.

key

Read-only IAM

Cross-account IAM credentials per slot. We never store root credentials.

Access Control

Permission, scoped.

lock

Role-based access control

45+ resource:action permissions across the platform.

supervisor_account

Org-scoped roles

Owner, admin, member, plus custom roles for granular control.

groups

User groups

Bulk permission assignment for org structures.

vpn_key

SSO-ready

SAML SSO available for enterprise engagements.

Data Protection

Encrypted end to end.

lock_outline

Encryption at rest

AWS KMS across every data store.

https

End-to-end TLS

AWS Certificate Manager on every public endpoint.

verified_user

Credential hygiene

We never store your AWS root credentials. Cross-account IAM with least-privilege scope.

Network & Platform

Hardened at the edge.

shield

AWS WAF

DDoS, SQL injection, and XSS protections on the application load balancer.

policy

Security headers

CSP, X-Frame-Options, X-Content-Type-Options, HSTS in production.

dns

Multi-AZ deployment

Fault-tolerant by default.

replay

Temporal retries

Durable workflow execution with activity-level retry policies.

Observability

Every event, traceable.

linked_services

OpenTelemetry

Distributed tracing across the API, backend, and pipeline.

bug_report

Sentry

Error tracking with alert routing to the on-call team.

subject

Structured logging

Every event tagged with organization and user.

notifications_active

CloudWatch alarms

Health, latency, and error-rate alarms wired to escalation.

Audit & Compliance

Built for procurement.

historyImmutable audit log

Every read and write tagged with organization_id, user_id, and timestamp. Query the audit endpoint or browse the audit UI.

toggle_onFeature flag system

Controlled rollouts at platform and per-org level.

domain_verificationAWS Well-Architected alignment

Kaizen operationalizes the Cost Optimization pillar of the AWS Well-Architected Framework.

verifiedCompliance posture

  • checkSOC 2 Type II — architecture complete, audit in progress.
  • checkISO 27001 — controls mapped, certification path on roadmap.
  • checkFinOps Foundation framework — fully aligned across Inform, Optimize, Operate phases.
  • checkHIPAA-eligible AWS service stack end-to-end.
  • checkGDPR — regional deployment options, audit trails native.

Need the full security packet for procurement?

We'll send you our up-to-date posture and audit artifacts.

Talk to us arrow_forward