K
Kumty

Compliance Overview

Four frameworks.
Automated evidence. Audit-ready.

Compliance as platform default — not a quarterly scramble. SOC 2, ISO 27001, GDPR, and HIPAA built into Kumty, with 15 automated platform checks and evidence package export on demand.

Frameworks

Four standards. Honest status.

We’d rather be transparent about certification posture than oversell it.

SOC 2 Type II

22 controls across 5 trust service criteria

In Progress

Security, Availability, Processing Integrity, Confidentiality, and Privacy. Controls implemented and operating — independent audit in progress.

ISO 27001

13 controls across 5 categories

In Progress

Information Security Management System established. Stage 1 readiness review scheduled.

GDPR

10 controls + dedicated data subject rights workflow

Shipped

Right to access, right to erasure, data portability, consent management, and 72-hour breach notification. Available now.

HIPAA

12 controls across 3 safeguards

Planned

Administrative, Physical, and Technical safeguards. Business Associate Agreement program activates when a covered entity signs.

Automated Evidence Collection

15 platform checks. Run automatically.

MFA, encryption, RBAC, audit logging, session timeouts — all verified by the system. Your compliance status isn’t an annual questionnaire. It’s a live dashboard that an assessor can read in under a minute.

The 15 Checks

  • Multi-factor authentication enforcement
  • Password policy + rotation
  • Session timeout + idle lockout
  • Role-based access control (RBAC)
  • Permission delegation tracking
  • Audit logging on all mutations
  • Encryption at rest + in transit
  • Data residency verification
  • Backup policy + recovery tests
  • SSO / SAML enforcement
  • Webhook signature verification
  • API rate limiting enforcement
  • Failed login lockout
  • Privileged action audit trail
  • Compliance framework enabled

GDPR Deep-Dive

Data subject rights, built in.

Data subject rights workflow

Six request types — access, rectification, erasure, portability, restriction, and objection — with SLA auto-calculation (30 days, 72 hours for breaches).

Consent management

Purpose-based consent records, versioned, with IP and user-agent capture. Upsert on re-consent. Full audit trail for every state change.

72-hour breach response

Article 33 checklist built in. Breach incident tracking with notification deadline, affected records, and remediation steps — all timestamped and auditable.

Gap Analysis

See exactly where you stand against each framework. Closed controls. Open controls. Partially-met controls. Close the gaps with guided remediation and the platform checks that verify them automatically.

Evidence Package

Generate a complete compliance evidence package with one click — control mappings, automated check results, audit log excerpts, and a SHA-256 hash for integrity. Ready for your auditor.

Read the full security documentation →

Compliance without the scramble.

Start with GDPR shipped. SOC 2 and ISO 27001 in progress. HIPAA on request. Every framework, one platform, one source of truth.

Request Compliance BriefTalk to Security