Legal · Security
Security.
How we protect your data. Boring on purpose.
Hosted in Australia
AWS Sydney region (ap-southeast-2). Postgres primary + read replica. Daily snapshots, 30-day retention.
Encrypted everywhere
AES-256 at rest, TLS 1.3 in transit. Secrets in AWS KMS, rotated quarterly. Hashed passwords (argon2id).
2FA on office accounts
Mandatory TOTP or passkey for any account that can manage team members or billing. Optional for field sparkies (passkey support coming).
Audit log on everything
Every certificate lodged, edited, or downloaded gets a tamper-evident row. Retained for 7 years to match NSW compliance requirements.
Vulnerability disclosure
Found something? Email security@kando.au with details. We acknowledge within one working day and credit you in our hall of fame.
What we're working toward
ISO 27001 certification by Q4 2026. SOC 2 Type II after that. Until we've got the paperwork we'd rather say so than wave unverified badges around.