Trust & security
Trust center for security, payments, and availability.
Built for operators in gastronomy, hospitality, retail, and e-commerce. Online card entry uses the hosted card fields of our PCI DSS Level 1 certified payment processor, so raw cardholder data never touches Kotao systems; that architecture supports a PCI DSS SAQ A posture for eligible merchants. Workspace-level roles for every action. Audit-ready exports for KassenSichV, GoBD, and DATEV. EU-hosted by default.
Defaults
What's locked down by default.
-
EU data residency
EU-hosted with documented subprocessors, DPA, and SCCs for any cross-border transfer.
-
Encryption everywhere
TLS 1.3 in transit. AES-256 at rest. Per-customer key separation for sensitive fields.
-
PCI-DSS payments partner
Online card collection runs through a PCI Level 1 Service Provider: hosted card fields tokenize card data and keep PAN out of Kotao's application environment.
-
GDPR + DPA
Data Processing Agreement on every plan. SCCs for sub-processors. Full audit trail.
-
Strong Customer Authentication
PSD2-compliant 3DS2 + frictionless flows. Exemptions handled automatically.
-
Ongoing monitoring
Logging and alerting on critical paths. Documented incident-response process.
Operational controls
Roles, audit, and 2FA, on by default.
- 01 Role-based workspace permissions
- 02 Admin action audit trails
- 03 Session and device controls
- 04 2FA and step-up authentication
- 05 Payment tokenization
- 06 Data processing agreements
Assurance roadmap
SOC 2 Type II and ISO 27001 are on the public trust roadmap.
Kotao is building the control evidence program and roadmap toward SOC 2 Type II and ISO 27001. Until third-party reports are available, we publish the current security posture, subprocessors, DPA, and incident process here instead of implying a certification we have not yet earned.
- PCI DSS SAQ A-aligned online card collection through the payment processor's hosted card fields
- SOC 2 Type II readiness work for security, availability, and confidentiality controls
- ISO 27001 ISMS roadmap covering policies, risk management, access review, and supplier controls
Availability
Status and incidents are published openly.
The public status page records active incidents, degraded services, maintenance windows, and post-incident updates for customer-facing Kotao services.
Run the till. Run the books. Run the team.
POS, bookings, payments, inventory, payroll, website, reporting. One product. One bill. No plugin chain to maintain.