Security Policy

Comprehensive overview of the physical, technical, and organizational security measures k&z implements to protect quantum AI infrastructure and client data.

Effective Date: January 1, 2026 — Version: 1.0

1. Introduction

K&z Limited (“k&z”) is committed to maintaining the highest standards of security for our quantum AI infrastructure platform and all associated services. This Security Policy outlines the comprehensive technical, physical, and organizational measures we implement to protect client data, quantum computing resources, and the integrity of our operations. Security is fundamental to the trust our clients place in k&z, and we continuously invest in strengthening our security posture.

k&z maintains security controls aligned with ISO 27001 (Information Security Management) and SOC 2 Type II (Security, Availability, Confidentiality) standards. Both certifications are currently in progress with independent third-party assessors (TUV Rheinland and Deloitte, respectively), with anticipated completion in 2026. See our Compliance & Audits page for current status. For sovereign deployment clients, additional certifications and clearances may apply as specified in the applicable service agreement.

2. Physical Security

2.1 Facility Security

k&z quantum computing facilities are housed in purpose-built or hardened data centers that meet or exceed Tier III standards. Physical security measures include:

  • Perimeter Security: Reinforced building structures, anti-ram barriers, perimeter fencing, and controlled vehicle access points with bollard protection.
  • Access Control: Multi-layered access control systems including badge readers, biometric authentication (fingerprint and iris scanning), and man-traps/security vestibules at sensitive entry points.
  • Video Surveillance: 24/7 closed-circuit television (CCTV) monitoring with high-definition cameras covering all entry points, server rooms, QPU laboratories, and common areas. Video recordings are retained for a minimum of ninety (90) days.
  • Security Personnel: On-site security staff providing 24/7 coverage, with regular patrols and incident response capabilities.
  • Visitor Management: All visitors must be pre-approved, present valid identification, sign non-disclosure agreements, and be escorted by authorized k&z personnel at all times within secure areas.

2.2 Quantum Computing Environment

QPU hardware requires specialized environmental conditions and additional security measures:

  • Restricted Access Zones: QPU laboratories and cryogenic facilities are designated as restricted access zones with separate access controls and additional biometric verification.
  • Environmental Monitoring: Continuous monitoring of temperature, humidity, vibration, and electromagnetic interference levels critical to QPU operation.
  • Cryogenic Safety: Automated monitoring and alarm systems for dilution refrigerators and cryogenic cooling systems, with redundant cooling infrastructure.
  • Electromagnetic Shielding: RF-shielded rooms and Faraday cage enclosures for QPU systems to prevent electromagnetic interference and protect against side-channel attacks.

3. Network Security

3.1 Network Architecture

k&z employs a defense-in-depth network security architecture with multiple layers of protection:

  • Network Segmentation: Strict network segmentation separating QPU control planes, client workload execution environments, management networks, and public-facing services into isolated network zones.
  • Firewalls: Enterprise-grade next-generation firewalls (NGFWs) with deep packet inspection, application-layer filtering, and stateful packet inspection at all network boundaries.
  • Intrusion Detection and Prevention: Network-based and host-based intrusion detection and prevention systems (IDS/IPS) monitoring for malicious activity and known attack patterns.
  • DDoS Protection: Multi-layer distributed denial-of-service mitigation including traffic scrubbing, rate limiting, and geographic filtering through partnerships with leading DDoS mitigation providers.
  • VPN and Private Connectivity: Secure VPN tunnels (IPsec/WireGuard) and dedicated private network interconnections for enterprise clients requiring private connectivity to k&z infrastructure.

3.2 API Security

All k&z APIs enforce the following security measures:

  • Transport Layer Security (TLS 1.3) for all API communications;
  • API key and OAuth 2.0 bearer token authentication;
  • Rate limiting and throttling to prevent abuse;
  • Input validation and sanitization on all API endpoints;
  • Request signing for sensitive operations; and
  • Comprehensive API access logging and audit trails.

4. Data Encryption

4.1 Encryption in Transit

All data transmitted to and from k&z systems is encrypted using TLS 1.3 with strong cipher suites. This applies to API communications, web interface access, inter-service communications, and data transfer between classical and quantum computing components. Certificate pinning is enforced for k&z mobile and desktop applications.

4.2 Encryption at Rest

All stored data, including client workloads, quantum circuit definitions, computational results, account information, and system logs, is encrypted at rest using AES-256 encryption. Encryption keys are managed through a hardware security module (HSM)-backed key management system with automatic key rotation.

4.3 Key Management

k&z employs a centralized key management infrastructure with: (a) FIPS 140-2 Level 3 certified hardware security modules (HSMs) for key storage and cryptographic operations; (b) automatic key rotation on defined schedules; (c) strict separation of duties for key management operations; and (d) comprehensive audit logging of all key lifecycle events.

4.4 Post-Quantum Cryptography

Recognizing the unique position of k&z as a quantum computing provider, we are actively transitioning to post-quantum cryptographic algorithms for long-term data protection. Our roadmap includes adoption of NIST-standardized post-quantum algorithms (ML-KEM, ML-DSA, SLH-DSA) for key exchange and digital signatures across our infrastructure.

5. Access Control

5.1 Identity and Access Management

k&z implements comprehensive identity and access management (IAM) controls:

  • Role-Based Access Control (RBAC): Granular role-based permissions for both internal personnel and client users, following the principle of least privilege.
  • Multi-Factor Authentication (MFA): Required for all administrative access, SSH access, and API access to production systems. Supported MFA methods include hardware security keys (FIDO2/WebAuthn), time-based one-time passwords (TOTP), and push notifications.
  • Single Sign-On (SSO): SAML 2.0 and OpenID Connect (OIDC) integration for enterprise clients, enabling centralized authentication and authorization management.
  • Access Reviews: Quarterly access reviews for all systems processing client data, with automatic revocation of unused access permissions.
  • Privileged Access Management: Just-in-time privileged access for administrative operations, with session recording and approval workflows for sensitive actions.

6. Employee Security

6.1 Background Checks

All k&z employees and contractors undergo comprehensive background checks prior to employment, including criminal record checks, employment history verification, and education verification. Personnel with access to quantum computing infrastructure or client data undergo enhanced vetting.

6.2 Security Training

All k&z employees complete mandatory security awareness training upon hire and annually thereafter. Training covers topics including phishing awareness, secure coding practices, data handling procedures, incident reporting, and social engineering defense. Role-specific training is provided for engineering, operations, and security personnel.

6.3 Acceptable Use and Confidentiality

All employees and contractors sign confidentiality agreements and are bound by an internal acceptable use policy governing the handling of client data and k&z systems.

7. Vulnerability Management

7.1 Vulnerability Scanning

k&z conducts regular automated vulnerability scanning across all infrastructure, including network vulnerability scans (weekly), application security scans (weekly), container image scanning (on every build), and infrastructure-as-code security scanning (on every deployment).

7.2 Penetration Testing

k&z engages independent third-party security firms to conduct penetration testing at least annually. Penetration testing scope includes external network testing, web application testing, API security testing, and social engineering assessments. Critical findings are remediated within forty-eight (48) hours; high-severity findings within seven (7) days.

7.3 Patch Management

k&z maintains a rigorous patch management process: critical security patches are applied within twenty-four (24) hours of release; high-severity patches within seventy-two (72) hours; and routine patches within thirty (30) days. Emergency patching procedures are in place for zero-day vulnerabilities.

7.4 Responsible Disclosure

k&z operates a responsible vulnerability disclosure program. Security researchers are encouraged to report vulnerabilities through our Responsible Disclosure program. We commit to acknowledging reports within twenty-four (24) hours and providing status updates throughout the remediation process.

8. Incident Response

8.1 Incident Response Plan

k&z maintains a comprehensive incident response plan that defines roles, responsibilities, communication procedures, and escalation paths for security incidents. The plan is reviewed and updated at least annually and tested through tabletop exercises and simulated incident drills.

8.2 Incident Classification

Security incidents are classified by severity (Critical, High, Medium, Low) based on the potential impact on client data, service availability, and platform integrity. Response times and escalation procedures are calibrated to incident severity.

8.3 Client Notification

In the event of a security incident affecting client data, k&z shall notify affected clients within forty-eight (48) hours of confirming the incident, as detailed in our Data Processing Agreement. Notifications include a description of the incident, data affected, remediation actions taken, and recommended steps for the client.

9. Business Continuity and Disaster Recovery

9.1 Business Continuity Plan

k&z maintains a business continuity plan (BCP) that ensures the continued availability of critical services during and after disruptive events. The BCP is reviewed annually and tested through regular drills and exercises.

9.2 Disaster Recovery

k&z disaster recovery capabilities include: geographically distributed backup infrastructure; regular backup testing and validation; defined recovery time objectives (RTO) and recovery point objectives (RPO) aligned with service level commitments; and automated failover for critical platform components.

9.3 Data Backup

Client data and platform data are backed up regularly with encrypted backups stored in geographically separate locations. Backup integrity is verified through automated restoration testing on a monthly basis.

10. Third-Party Security

10.1 Vendor Assessment

All third-party vendors and service providers with access to k&z systems or client data undergo a security assessment prior to engagement. Assessments evaluate the vendor’s security controls, compliance certifications, data handling practices, and incident response capabilities.

10.2 Ongoing Monitoring

Third-party vendors are subject to ongoing security monitoring, including annual reassessments, continuous monitoring of their security posture, and prompt notification requirements for security incidents affecting k&z data or systems.

10.3 Contractual Protections

All third-party agreements include security requirements, data protection obligations, breach notification provisions, and audit rights consistent with k&z’s security standards and client commitments.

11. Compliance and Certifications

k&z maintains security controls aligned with the following standards and is pursuing formal certifications:

  • ISO 27001: Information Security Management System — aligned controls implemented; formal certification in progress with TUV Rheinland (anticipated 2026).
  • SOC 2 Type II: Security, Availability, and Confidentiality trust service criteria — audit in progress with Deloitte (anticipated 2026).
  • PCI DSS: Compliance for payment card processing through certified third-party payment processors.
  • GDPR/PDPO Compliance: Adherence to European and Hong Kong data protection regulations.

Audit reports and compliance documentation are available to clients under NDA upon request. See our Compliance & Audits page for the latest status and verification details.

12. Contact

For security-related inquiries, please contact:

  • Security Team: support@kandz.co
  • Vulnerability Reports: See our Responsible Disclosure page
  • Incident Reports: support@kandz.co