Security at Koladin

2. Data Isolation and Confidentiality

Partner firm data is logically isolated at the application and database layers. Intelligence packages, case evaluations, engagement terms, and all strategic communications are segregated to ensure that no partner firm can access another firm's data. Internal access to partner data is restricted to authorized personnel on a need-to-know basis and is subject to comprehensive audit logging.

We maintain strict conflict management protocols to ensure that the same matter is never presented to competing firms. These protocols operate independently of our data isolation controls as an additional layer of protection.

3. Compliance Framework

Koladin's security program is aligned with industry-recognized standards and frameworks:

• SOC 2 Type II aligned practices: our controls are designed to meet the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy
• Regular penetration testing: conducted by independent third-party security firms on a quarterly basis, with findings remediated on a defined SLA
• Vulnerability management: automated scanning of all systems and dependencies with prioritized remediation based on severity and exploitability
• Vendor security assessments: all third-party vendors with access to sensitive data undergo security review before engagement and on an annual recurring basis

4. Personnel Security

All Koladin employees and contractors with access to partner data or production systems undergo background checks prior to onboarding. Security awareness training is mandatory upon hire and on an annual basis. Access to sensitive systems is reviewed quarterly, and access is revoked immediately upon role change or departure.

5. Incident Response

Koladin maintains a documented incident response plan that defines procedures for detection, containment, eradication, recovery, and notification in the event of a security incident. Our incident response program includes:

• Defined severity classification system with escalation procedures
• 24-hour initial response commitment for confirmed security incidents
• Notification to affected partners within 72 hours of confirmed data breach, consistent with applicable legal requirements
• Post-incident review and remediation with root cause analysis
• Annual tabletop exercises to test and refine response procedures

6. Business Continuity

Our platform is architected for high availability with automated failover, geographic redundancy, and regular backup procedures. Recovery point objectives (RPO) and recovery time objectives (RTO) are defined for all critical systems and tested on a regular schedule. Backups are encrypted and stored in geographically separate locations from primary data.

7. Secure Development

Koladin follows secure development lifecycle practices across all engineering work:

• Code review required for all changes to production systems
• Static and dynamic application security testing (SAST/DAST) integrated into CI/CD pipeline
• Dependency scanning for known vulnerabilities in third-party libraries
• Separation of development, staging, and production environments with no production data in non-production systems

8. Client-Side Practices

Consistent with our commitment to privacy, www.koladin.ai does not deploy third-party tracking pixels, session replay software, or advertising cookies. We practice what we detect — our website is designed to respect visitor privacy in the same manner we expect of the companies our intelligence evaluates.

9. Reporting Vulnerabilities

If you believe you have discovered a security vulnerability in any Koladin system, we encourage responsible disclosure. Please report findings to security@koladin.ai. We commit to acknowledging reports within 24 hours, providing an initial assessment within 72 hours, and will not pursue legal action against individuals who report vulnerabilities in good faith.