Kosuke

Security

Kosuke is a B2B AI penetration testing platform. Customer trust depends on how we handle their data, their authorization to test, and the artifacts produced during engagements. This page summarizes our security posture in plain language. The legally binding controls live in the Service Agreement and the Data Processing Agreement.

Encryption

  • In transit: TLS 1.2 or higher for all customer-facing endpoints, APIs, and internal service-to-service traffic.
  • At rest: AES-256 (or provider equivalent) for all stored customer data, including engagement artifacts, reports, and credentials.

Access control

  • Role-based access with least-privilege defaults.
  • Multi-factor authentication required for all administrative access.
  • Audit logging of access to customer Personal Data.
  • Confidentiality obligations on all personnel and contractors.

Data minimization (pentest-specific)

  • During testing, Kosuke accesses Personal Data only to the strict minimum needed to validate vulnerabilities.
  • Personal Data is never exfiltrated, stored, or transferred beyond what's needed for validation.
  • Validation evidence is stored encrypted and pseudonymized where possible.
  • Engagement artifacts are destroyed within 90 days of completion (Section 7 of the DPA), with an optional certificate of destruction available on written request.

Breach notification

  • Pentest customers (Personal Data Breach): notification without undue delay, and in any event within 24 hours of becoming aware, per Section 6.2 of the DPA.
  • General platform customers: notification without undue delay, and in any event within 72 hours, in accordance with GDPR Article 33.

Authorization & CFAA compliance

  • No penetration testing begins until Customer signs an Authorization Letter (Exhibit B of the Service Agreement).
  • Customer warrants ownership of (or authorization over) every Target System in writing before scanning starts.
  • Domain ownership is verified independently (DNS TXT record or /.well-known token) before any active testing.
  • Traffic is rate-limited; destructive payloads, DoS, and data exfiltration beyond proof-of-concept are contractually prohibited.
  • 24/7 emergency contact required from Customer; either party can halt testing at any time.

Sub-processors

The current list of Sub-processors that may process customer Personal Data is published at /legal/subprocessors with 30 days advance notice of any change.

Certifications

  • SOC 2 Type I: planned. Status will be updated on this page when an audit begins.
  • SOC 2 Type II: planned (post-Type I).
  • ISO 27001: not currently in scope.

Kosuke does not claim certifications it does not hold. If your procurement team requires a specific certification or vendor security questionnaire, contact security@kosuke.ai.

Reporting a vulnerability

If you believe you've found a security issue in Kosuke's own systems (not a finding from an engagement), email security@kosuke.ai. We acknowledge reports within 2 business days and credit researchers who disclose responsibly.

Contact

Security questions, DPA execution, vendor questionnaires, COI requests: security@kosuke.ai.