Kortave
Back to homepage
— Security & Trust —

Security
& Trust.

Kortave handles EU compliance on your behalf — so our own security and data protection practices must be demonstrably robust and well-documented. This page sets out every relevant control, obligation, and commitment we maintain.

EEA

Core data residency

TLS 1.3

In-transit encryption

AES-256

At-rest encryption

72 h

Breach notification

ISO 27001 (cert. in progress)GDPR Art. 28EEA core dataTLS 1.3AES-256PCI DSS via Paddle
§02

Data Residency & Infrastructure

All Client compliance data and personal data processed as part of Kortave's core services is stored and persisted exclusively within the European Economic Area. Our primary infrastructure runs on Cloudflare's Nuremberg, Germany datacenter cluster, which holds ISO 27001, SOC 2 Type II, and PCI DSS certifications. CDN edge processing by Cloudflare may traverse Cloudflare's global Anycast network at the network layer; data-at-rest remains within the EEA.

Payment and billing data is processed by Paddle.com Market Ltd. (United Kingdom), which benefits from the EU-UK adequacy decision adopted under GDPR Art. 45, as currently in force. Kortave does not store, process, or transmit payment card data.

Data in transit between clients and our services is encrypted with TLS 1.3. Legacy protocols (TLS 1.0, TLS 1.1, SSLv3) are explicitly disabled at the network edge. Data at rest is encrypted using AES-256. All public-facing and internal service endpoints are served exclusively over TLS; HTTP requests are redirected to HTTPS at the edge.

Where personal data is transferred to sub-processors located in third countries outside the EEA (including AI model providers and transactional email services located in the United States), such transfers are governed by Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914. A Transfer Impact Assessment (TIA) is conducted and maintained on file for each such transfer.

Primary infrastructure

Hetzner Nuremberg (EEA)

TLS version

TLS 1.3 enforced

Encryption at rest

AES-256

Third-country transfers

Adequacy decision or SCCs only

§03

Sub-Processors

The following sub-processors are authorised to process personal data on behalf of Kortave and its clients pursuant to GDPR Article 28(2). All sub-processors are bound by data processing agreements that comply with GDPR Article 28(3). Kortave will provide clients with not less than 30 days' prior written notice of any intended addition or substitution of sub-processors, affording clients the right to object on data protection grounds. Where an AI sub-processor processes data located in a third country, such processing is governed by Standard Contractual Clauses and a Transfer Impact Assessment.

ProcessorPurposeData locationCertifications

Hetzner Online GmbH

Primary application hosting and server infrastructure

Nuremberg, Germany (EEA)

ISO 27001 · GDPR Art. 28 DPA

Supabase, Inc.

Managed database for operational and prospect data

EU region (EEA-hosted project)

SOC 2 Type II · GDPR Art. 28 DPA

Cloudflare, Inc.

Infrastructure, CDN, WAF, DDoS protection, network security

Nuremberg, Germany (EEA)

ISO 27001 · SOC 2 Type II · PCI DSS

Paddle.com Market Ltd.

Payment processing, billing, merchant of record

London, UK (adequacy decision)

PCI DSS Level 1

Anthropic PBC

AI language model processing for compliance automation (Claude)

United States (SCCs + TIA in place)

SOC 2 Type II · GDPR Art. 28 DPA

Resend Inc.

Transactional email delivery — system notifications, compliance alerts, account communications

United States (SCCs + TIA in place)

GDPR Art. 28 DPA in place

All sub-processors are bound by GDPR Art. 28-compliant data processing agreements. Kortave will notify clients of any intended addition or replacement of sub-processors not less than 30 days before the change takes effect, affording clients the opportunity to object. Last updated: May 2026.

§04

Data Retention & Deletion

Client data is retained for the duration of the active subscription. Upon termination of the service relationship, clients have 30 days to export their data using the self-service export tools provided. After this window, all personal data is permanently deleted from production systems.

Encrypted backup snapshots are retained for 90 days following deletion from production, after which they are cryptographically purged from all storage media. Audit logs are retained for 12 months to satisfy security monitoring obligations.

Financial records and invoices are retained for 8 years from the end of the relevant financial year in accordance with the Hungarian Accounting Act (Act C of 2000, § 169(2)). Kortave will never hold personal data beyond what is legally required or operationally necessary.

Active subscription

Retained in full

30 days post-termination

Export window open

90 days post-deletion

Encrypted backups only

12 months

Audit logs retained

8 years

Financial records (Hungarian Accounting Act)

Request data deletion → privacy@kortave.eu
§05

Your Rights as a Data Subject

Under GDPR Chapter III, you hold the following rights with respect to personal data we process. To exercise any of these rights, contact privacy@kortave.eu. We will acknowledge your request within 5 working days and respond substantively within 30 days.

Art. 15

Right of access

Request a copy of the personal data we hold about you and information on how it is processed.

Art. 16

Right to rectification

Have inaccurate or incomplete personal data corrected without undue delay.

Art. 17

Right to erasure

Request deletion of your personal data where it is no longer necessary for the purpose it was collected.

Art. 18

Right to restriction

Restrict how we process your data in specific circumstances, for example while a dispute is resolved.

Art. 20

Right to portability

Receive your data in a structured, commonly used, machine-readable format and transfer it to another controller.

Art. 21

Right to object

Object to processing based on legitimate interests or for direct marketing purposes at any time.

Art. 22

Automated decisions

Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

NAIH

Supervisory authority

Lodge a complaint with the NAIH (Hungary) or your local national DPA at any time, without prejudice to any other remedy.

§06

Incident Response & Breach Notification

Kortave operates a structured incident response programme aligned with GDPR Articles 33 and 34. In the event of a personal data breach affecting data processed on behalf of clients, Kortave will notify the affected client (as data controller) without undue delay — and in any event within 72 hours of Kortave becoming aware of the breach — in accordance with GDPR Art. 33(2), thereby enabling the client to fulfil its own supervisory authority notification obligations where required. Where Kortave processes data in its own capacity as a data controller (e.g. account and billing data), Kortave will directly notify the competent supervisory authority (NAIH, Hungary) within 72 hours pursuant to GDPR Art. 33(1).

Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, affected individuals will be notified without undue delay in accordance with GDPR Art. 34. Notification will not be required if the breached data is encrypted in a manner that renders it unintelligible to unauthorised parties (Art. 34(3)(a)).

Affected clients will receive a formal incident report within 14 calendar days of breach confirmation, documenting: the nature and classification of the breach; the categories and approximate volume of personal data and data subjects affected; the likely consequences; the remediation measures taken or proposed; and preventative measures implemented to reduce recurrence.

Kortave maintains continuous automated threat monitoring via Cloudflare's security stack and internal detection tooling. Incident response procedures are reviewed and updated annually, and validated through structured tabletop simulation exercises.

Supervisory authority notification

72 hours · GDPR Art. 33

Affected individual notification

Without undue delay · Art. 34

Client incident report

Within 14 days

Threat monitoring

24/7 automated

Report a security incident → security@kortave.eu
§07

AI & Automated Processing Disclosure

Kortave uses AI and automated processing — including third-party large language models (Anthropic Claude) — to deliver compliance automation services. We clearly identify AI-assisted outputs within the platform. No compliance output produced by Kortave is intended to be submitted to a regulatory authority or relied upon in a legal context without independent human review by your team.

Kortave's AI functionality does not fall within the high-risk categories enumerated in EU AI Act Annex III. No AI output is used to make decisions about natural persons that fall within the high-risk use cases specified in that Annex. Kortave operates as a deployer of General Purpose AI models (EU AI Act Title VIII) and applies appropriate transparency and human oversight measures commensurate with that classification.

You retain the right under GDPR Article 22 not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Any automated compliance output produced by Kortave can be reviewed, challenged, corrected, and overridden by your designated team members at any time through the platform interface.

Where EU AI Act transparency obligations apply to Kortave's operations, including under Art. 50 regarding AI-generated content, Kortave complies with those obligations. Regulatory guidance from the AI Office is monitored and incorporated into operational procedures as applicable.

EU AI Act classification

Kortave's AI functionality does not fall within the high-risk categories of EU AI Act Annex III. Kortave operates as a deployer of General Purpose AI models (Title VIII). AI-generated outputs are identified within the platform. Human review is available for all compliance decisions.

§08

Infrastructure Security

Our infrastructure is protected by Cloudflare's enterprise-grade security stack, including Web Application Firewall (WAF) with OWASP Core Rule Set, automated DDoS mitigation up to Layer 7, rate limiting, bot management, and Zero Trust network access for internal services.

All internal service-to-service communication occurs over encrypted channels. No service exposes unencrypted HTTP endpoints. TLS certificates are issued by trusted Certificate Authorities and renewed automatically before expiry.

Cloudflare's Anycast network provides geographic redundancy across multiple EEA points of presence, with inherent resilience against volumetric attacks. Our infrastructure is covered by Cloudflare's ISO 27001, SOC 2 Type II, and PCI DSS certifications.

Cloudflare WAFOWASP CRSDDoS L7 mitigationZero Trust networkTLS 1.3AES-256Anycast CDNAuto cert renewal
§09

Application Security

Authentication is implemented using OAuth 2.0 / OpenID Connect via an established identity provider. Multi-factor authentication (MFA) is enforced for all user accounts. We do not build or maintain proprietary authentication infrastructure.

Authorisation follows Role-Based Access Control (RBAC). Users may only access data scoped to their own tenant. Cross-tenant data access is architecturally prevented at the database query level — not merely enforced by policy.

Application dependencies are scanned for known vulnerabilities on every build and on a weekly automated schedule. Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy) are enforced at the Cloudflare edge. Code undergoes review targeting OWASP Top 10 vulnerability classes during development.

OAuth 2.0 / OIDCMFA enforcedRBACTenant isolationDependency scanningOWASP Top 10 reviewHSTS + CSP headersNo auth homebrew
§10

Access Controls & Internal Security

Internal access to production systems follows the principle of least privilege. No engineer has standing access to production data. Access is granted on a time-limited, task-scoped basis with full audit logging for every action taken.

All Kortave personnel with access to systems processing personal data are bound by written confidentiality agreements. Multi-factor authentication is mandatory for all internal tooling, cloud console access, code repositories, and administrative interfaces.

All privileged actions in production environments are logged immutably and retained for 12 months. Anomalous access patterns trigger automated alerts. Client data is isolated at the database level — each tenant's data is logically and, where applicable, cryptographically separated from all other tenants.

Least privilege

No standing production access. Time-limited, scoped grants only.

MFA everywhere

All internal tooling, cloud consoles, and admin interfaces require MFA.

Immutable audit logs

All privileged actions logged for 12 months. Anomaly alerting in place.

Tenant isolation

Client data separated at the database level — logical and cryptographic isolation.

Confidentiality agreements

All personnel with data access bound by written NDAs.

§11

ISO 27001-Aligned Controls

IMPORTANT: Kortave is not currently ISO 27001 certified. Formal certification by an accredited third-party certification body is in progress and targeted for 2026. The controls described in the table below are implemented against the ISO 27001:2022 standard framework and are subject to internal audit on a 12-month cycle. Kortave's primary infrastructure sub-processor, Cloudflare, Inc., holds active ISO 27001, SOC 2 Type II, and PCI DSS certifications. Clients in regulated sectors requiring certified processor status should note this disclosure prior to contracting.

ISO 27001:2022 control mapping

5

Organisational controls — information security policies, roles, and responsibilities

Implemented
6

People controls — background verification, information security awareness and training

Implemented
7

Physical controls — physical security perimeters, equipment security

Implemented
8.1

User endpoint devices and privileged access rights

Implemented
8.5

Secure authentication — MFA, access control policy

Implemented
8.9

Configuration management and change management

Implemented
8.12

Data leakage prevention — encryption, data masking

Implemented
8.15

Logging and monitoring — audit log retention and review

Implemented
8.23

Web filtering and application security controls

Implemented
8.29

Security testing in development and acceptance — OWASP Top 10 coverage

Implemented
8.32

Change management — production deployment controls

Implemented
6.8

Information security event reporting and incident management

In progress

Kortave is not currently ISO 27001 certified. Formal certification by an accredited body is in progress, targeted for 2026. All controls listed above are implemented against ISO 27001:2022 and subject to internal audit on a 12-month cycle. Cloudflare, Inc. (Kortave's primary infrastructure sub-processor) holds active ISO 27001 certification.

§12

Penetration Testing & Vulnerability Disclosure

Kortave is committed to annual third-party penetration testing of its platform and infrastructure. The first formal engagement is scheduled for Q3 2026. Findings are reviewed by the leadership team; critical and high-severity issues are remediated before the next test cycle begins.

We operate a responsible disclosure programme. If you discover a security vulnerability in Kortave's platform, please report it to security@kortave.eu with a description of the finding, steps to reproduce, and any supporting evidence. We aim to acknowledge reports within 2 business days and to provide a remediation timeline within 10 business days. We request that researchers refrain from disclosing the vulnerability publicly until Kortave has had a reasonable opportunity to investigate and remediate.

A formal public bug bounty programme is planned for Q3 2026. Details will be published on this page when the programme launches.

Report acknowledgement

2 business days

Remediation timeline

10 business days

Annual pentest

Q3 2026 (first engagement)

Bug bounty programme

Q3 2026 (planned)

Disclose a vulnerability → security@kortave.eu
§13

Business Continuity

Our recovery targets are: Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour for all critical services. These targets are reviewed annually and validated through simulated failure exercises.

Daily encrypted backups are taken of all persistent data stores and replicated across multiple geographic zones within the EEA. Backup integrity is verified through automated restore tests run on a weekly schedule. Backups are retained for 90 days.

Cloudflare's Anycast architecture provides inherent geographic redundancy. In the event of a datacenter-level failure, traffic is automatically routed to the nearest healthy node with no manual intervention required. Planned maintenance windows are communicated to clients at least 48 hours in advance, except where emergency security patching requires immediate deployment to address a critical vulnerability — in such cases Kortave will provide notice as soon as practicable.

RTO

4 hours

Recovery time objective

RPO

1 hour

Recovery point objective

Backups

Daily

Encrypted, 3-zone EEA

Backup retention

90 days

Then cryptographic purge

§14

Payment Security

Kortave uses Paddle.com Market Ltd. as its Merchant of Record for all payment processing. Under this arrangement, Paddle is the data controller for all payment and billing data. Kortave never stores, processes, sees, or transmits payment card numbers, CVV codes, or full billing addresses.

Paddle holds PCI DSS Level 1 certification — the highest tier for payment card data security. All payment interactions occur exclusively within Paddle's PCI DSS-compliant environment. Kortave's systems receive only a non-sensitive transaction reference and a subscription status indicator.

In the event of a billing dispute, a cancellation request, or a refund relating to a payment transaction, Paddle is the entity legally responsible for resolution under their Merchant of Record agreement. Kortave will cooperate fully with Paddle and the client in any such process.

Kortave never sees your card data

All payment card data is handled exclusively by Paddle (PCI DSS Level 1). Kortave receives only a non-sensitive transaction reference. Your full card number, CVV, and billing address never touch our systems.

Data protection enquiries

For Data Processing Agreement requests, subject access requests, breach notifications, or any data protection enquiry — our team responds within one business day.

privacy@kortave.eusecurity@kortave.eu

See Kortave output in practice

Privacy Policy → kortave.eu/privacy

Last reviewed: May 2026 · Next scheduled review: November 2026 · Version 1.0