LEGAL
Security Disclosure
Last updated:
Reporting a Vulnerability
If you believe you have found a security issue affecting Kotao, please report it to security@kotao.com. You can encrypt sensitive details with our public OpenPGP key. Please include enough detail for us to reproduce the issue, ideally with steps, affected URLs, and any proof-of-concept material.
Scope
In scope:
- The kotao.com domains and subdomains.
- The Kotao platform and its modules (POS, PMS, CRM, ERP, RMS, HRM, CMS, BTP, payments).
Out of scope:
- Third-party services and external infrastructure — please report directly to the relevant vendor.
- Denial-of-service attacks against production infrastructure.
- Social engineering of staff, contractors, or customers.
- Physical attacks against Kotao offices or hosting facilities.
- Issues that require privileged network access to exploit.
What to Expect
We aim to:
- Acknowledge your report within 48 hours.
- Provide a status update within five business days.
- Resolve confirmed issues on a timeline that matches their severity.
Bug Bounty
Kotao does not currently run a paid bug bounty programme. We do plan to publish a public hall-of-fame credit for the first report we acknowledge, with the reporter’s permission.
Safe Harbour
Good-faith research carried out in line with this policy will not result in legal action by Kotao. Please avoid disrupting service, accessing data that is not your own, and disclosing details publicly before we have had the opportunity to remediate.
Public Disclosure
We coordinate disclosure with reporters. Please give us a reasonable window to ship a fix before publishing details. Our security.txt file references this policy and the current disclosure contact.
Legal context
Other documents.
Privacy, security, terms, and usage rules should be read together when evaluating Kotao for multiple teams.
-
Acceptable Use Policy
Activities prohibited on the Kotao platform.
-
Cookie Policy
How Kotao uses cookies and similar technologies.
-
Data Processing Agreement
Kotao's Data Processing Agreement under Art. 28 GDPR.
-
Illegal Content Reports (DSA)
Notice-and-action mechanism under Art. 16 DSA and Kotao GmbH's points of contact.
-
Imprint
Legal entity information for Kotao GmbH per § 5 DDG.
-
Kotao Payments Terms
Supplementary terms for the integrated payment processing on the Kotao platform.
-
Privacy Policy
How Kotao GmbH collects, uses, and protects your personal data under GDPR.
-
Sub-processors
Kotao's published, versioned list of sub-processors under Art. 28 GDPR.
-
Terms of Service
The terms governing the use of Kotao's platform and services.