Skip to main content

Trust & security

Trust center for security, payments, and availability.

Built for operators in gastronomy, hospitality, retail, and e-commerce. Online card entry uses the hosted card fields of our PCI DSS Level 1 certified payment processor, so raw cardholder data never touches Kotao systems; that architecture supports a PCI DSS SAQ A posture for eligible merchants. Workspace-level roles for every action. Audit-ready exports for KassenSichV, GoBD, and DATEV. EU-hosted by default.

Defaults

What's locked down by default.

  • EU data residency

    EU-hosted with documented subprocessors, DPA, and SCCs for any cross-border transfer.

  • Encryption everywhere

    TLS 1.3 in transit. AES-256 at rest. Per-customer key separation for sensitive fields.

  • PCI-DSS payments partner

    Online card collection runs through a PCI Level 1 Service Provider: hosted card fields tokenize card data and keep PAN out of Kotao's application environment.

  • GDPR + DPA

    Data Processing Agreement on every plan. SCCs for sub-processors. Full audit trail.

  • Strong Customer Authentication

    PSD2-compliant 3DS2 + frictionless flows. Exemptions handled automatically.

  • Ongoing monitoring

    Logging and alerting on critical paths. Documented incident-response process.

Operational controls

Roles, audit, and 2FA, on by default.

  1. 01 Role-based workspace permissions
  2. 02 Admin action audit trails
  3. 03 Session and device controls
  4. 04 2FA and step-up authentication
  5. 05 Payment tokenization
  6. 06 Data processing agreements

Assurance roadmap

SOC 2 Type II and ISO 27001 are on the public trust roadmap.

Kotao is building the control evidence program and roadmap toward SOC 2 Type II and ISO 27001. Until third-party reports are available, we publish the current security posture, subprocessors, DPA, and incident process here instead of implying a certification we have not yet earned.

  • PCI DSS SAQ A-aligned online card collection through the payment processor's hosted card fields
  • SOC 2 Type II readiness work for security, availability, and confidentiality controls
  • ISO 27001 ISMS roadmap covering policies, risk management, access review, and supplier controls

Availability

Status and incidents are published openly.

The public status page records active incidents, degraded services, maintenance windows, and post-incident updates for customer-facing Kotao services.

Run the till. Run the books. Run the team.

POS, bookings, payments, inventory, payroll, website, reporting. One product. One bill. No plugin chain to maintain.