How we secure ourselves.
Transparency on the technical and organizational measures KOLOSALTech applies internally. You cannot entrust us with your cyber if we are not exemplary ourselves.
Technical measures
TLS 1.3 on all exposed services. HSTS preload on kolosaltech.com. Let's Encrypt certificates renewed automatically.
Client data encrypted with AES-256 at rest (Airtable, Vercel KV, sourced cloud storage). Keys managed by certified providers.
TOTP/FIDO2 MFA on all our admin accounts (Vercel, GitHub, Airtable, Resend, Cloudflare, Stripe). No admin account without MFA.
Centralized vault (Bitwarden Teams). No passwords shared in clear text (email, doc, Slack). Preventive 90-day rotation on critical secrets.
Bitdefender GravityZone Premium on all team endpoints. Centralized console + real-time alerts.
3-2-1-1-0 architecture: local NAS with BTRFS snapshots + immutable object cloud (Wasabi Object Lock). Automatic monthly test.
OS + application patches applied within 7 days for critical ones, 30 days otherwise. Up-to-date inventory, no unsupported OS.
Application logs (Vercel) + security (Sentry) + access (Cloudflare) correlated. Retention 30 days min, 1 year for audit.
Organizational measures
Written ISSP, reviewed annually, approved by management. Available on request under NDA.
Tier model: Tier 0 admin · Tier 1 production · Tier 2 tools. Principle of least privilege. Quarterly access review.
Formalized procedure: account provisioning on day 1, immediate revocation on departure (< 1h). Up-to-date hardware inventory.
Quarterly phishing awareness for the whole team. Daily CVE monitoring. NIS2/DORA training for management.
Annual audit of critical suppliers (hosting providers, software vendors, forwarders). Security clauses in contracts. SBOM on delivered products.
BCP / DRP documented. RTO 4h / RPO 1h on critical services. Annual full-scale test.
Incident management
Sentry monitoring 24/7 + priority email alerts to management. Weekly security KPI dashboard.
In the event of an incident impacting a client: notification within 24h with technical detail. Compliant with NIS2 deadlines (24h pre-notification, 72h detailed).
Written incident procedure. Dedicated emergency number for clients under managed-services contract. Post-mortem shared within 30 days.
Documented procedure for notifying the CNIL (French data protection authority) within 72h in the event of a personal data breach (GDPR art. 33).
Regulatory compliance
Records of processing activities maintained. DPA available. Privacy by design in our client deployments. EU hosting prioritized.
NIS2 self-assessment in progress. Compliance target within 6 months. See our NIS2 SME guide for the client framework.
EU datacenters favored (OVHcloud Roubaix, Scaleway Paris, Vercel cdg1, Wasabi Paris, Cloudflare EU). No US hosting for sensitive client data.
Systematic recommendation of ANSSI security visa solutions (Stormshield, Tehtris, Wallix Bastion) for sensitive sectors.
Need a DPA or supplier audit?
Standard DPA, supplier questionnaire, EU hosting attestation, continuity plan — available on request under NDA for prospects under evaluation.