Our Compliance Commitment
k&z builds quantum infrastructure for the world's most security-sensitive organizations. Our compliance program is not a checkbox exercise — it is a continuous, organization-wide discipline that ensures every process, system, and employee meets the highest standards of information security, data protection, and operational integrity. We maintain an active portfolio of certifications and undergo regular independent audits to validate our controls.
Certifications
ISO 27001:2022 (In Progress)
k&z has implemented an Information Security Management System (ISMS) aligned with ISO 27001:2022 requirements, covering all quantum computing operations, data center facilities, and cloud infrastructure. Our ISMS encompasses controls across 14 domains, including access control, cryptography, operations security, and supplier relationships. We are currently undergoing the formal certification process with TUV Rheinland, with anticipated certification completion in 2026.
Status: Certification in progress
Scope: Quantum computing infrastructure services, QPU management, and hybrid HPC operations
Certification Body: TUV Rheinland
Anticipated Completion: 2026
SOC 2 Type II (In Progress)
k&z is undergoing a SOC 2 Type II audit covering the Security, Availability, Confidentiality, and Processing Integrity trust service criteria. The audit will examine the design and operating effectiveness of k&z controls over a 12-month observation period. The report is being prepared by Deloitte and will be available to customers and prospects under NDA upon completion.
Status: Audit in progress
Trust Service Criteria: Security, Availability, Confidentiality, Processing Integrity
Auditor: Deloitte
Anticipated Completion: 2026
GDPR Compliance
k&z is fully compliant with the EU General Data Protection Regulation (GDPR). We act as a data processor for customer workload data and maintain appropriate technical and organizational measures as documented in our Data Processing Agreement (DPA). Key GDPR measures include:
- Data processing records maintained under Article 30
- Data Protection Impact Assessments (DPIAs) conducted for high-risk processing activities
- Appointed Data Protection Officer (DPO) reachable at
support@kandz.co - 72-hour breach notification process in place per Article 33
- Data subject rights (access, rectification, erasure, portability) supported through self-service tools and DPO assistance
- EU data residency options available — workload data can be restricted to EU-based facilities
FedRAMP (In Progress)
k&z is actively pursuing FedRAMP Moderate authorization to serve U.S. federal agencies and defense contractors. We are currently in the authorization phase with a Third Party Assessment Organization (3PAO) and anticipate completing the process in Q3 2026. Our FedRAMP package addresses all 325 NIST SP 800-53 Rev. 5 controls at the Moderate impact level.
Status: Authorization in progress
Impact Level: Moderate
3PAO: Coalfire
Estimated Authorization: Q3 2026
Audit Schedule
| Audit / Certification | Frequency | Auditor | Last Completed | Next Scheduled |
|---|---|---|---|---|
| ISO 27001 Certification | In progress | TUV Rheinland | N/A | 2026 (target) |
| SOC 2 Type II | In progress | Deloitte | N/A | 2026 (target) |
| Penetration Test (External) | Quarterly | NCC Group | December 2025 | March 2026 |
| Penetration Test (Internal) | Semi-annual | Bishop Fox | October 2025 | April 2026 |
| GDPR Compliance Review | Annual | Internal DPO + External Counsel | November 2025 | November 2026 |
| FedRAMP Assessment | In progress | Coalfire | N/A | Q3 2026 (target) |
| Red Team Exercise | Annual | Mandiant | September 2025 | September 2026 |
Third-Party Auditors
We engage only reputable, globally recognized audit and security firms to ensure independence and rigor:
- TUV Rheinland — ISO 27001 certification body, accredited by the German national accreditation body (DAkkS).
- Deloitte — SOC 2 Type II audit firm, member of the AICPA.
- Coalfire — FedRAMP 3PAO, authorized by the FedRAMP PMO.
- NCC Group — External penetration testing, specializing in critical infrastructure security.
- Bishop Fox — Internal penetration testing and red-team operations.
- Mandiant — Annual red-team and threat intelligence exercises.
Compliance Certifications Summary
| Framework | Status | Scope |
|---|---|---|
| ISO 27001:2022 | In Progress (aligned controls implemented) | All quantum infrastructure operations |
| SOC 2 Type II | In Progress (audit underway) | Security, Availability, Confidentiality, Processing Integrity |
| GDPR | Compliant | EU personal data processing |
| FedRAMP Moderate | In Progress | U.S. federal workloads |
| FIPS 140-3 Level 3 | Certified (HSMs) | Cryptographic key management modules |
| CSA STAR Level 2 | In Progress (self-assessment complete) | Cloud security controls |
Requesting Compliance Documents
SOC 2 reports, ISO 27001 certificates, penetration test summaries, and other compliance artifacts are available to customers and qualified prospects under NDA. To request documentation, contact support@kandz.co or reach out to your account manager.