Compliance

Compliance, security, and accessibility in one place

This hub explains how we protect users, meet legal and industry needs, and design for everyone. You will find our security and privacy overview, our accessibility statement, and our approach to post-quantum readiness. Each section is written in plain language.

Request documentation View legal hub

Security and privacy

How we protect users and data across every service

We use a defense-in-depth model. Controls apply at the application, data, and infrastructure layer and are reviewed on a regular cadence.

Secure cookies and session handling

We use HttpOnly, Secure, and SameSite cookies for all authenticated sessions. The Web BFF keeps tokens server-side. The browser never receives provider tokens or session secrets.

Content Security Policy with nonces

We use Content Security Policy middleware with nonces on every response. Inline scripts use nonces only. External origins are explicitly listed and reviewed regularly.

Encryption at rest and in transit

Sensitive records are encrypted at rest in our database. Transport uses modern TLS protocols. We apply upgrade-insecure-requests directives and do not serve mixed content on any public page.

Access controls and audit logging

Role-based access controls restrict who can read or write personal data. Every read and write of PII is logged with a timestamp, actor, and record reference for audit purposes.

Dependency scanning and patching

We maintain inventories of dependencies and apply security patches within the windows defined by our SLA. We track security advisories and OWASP guidance as a baseline for all service modules.

Incident response and reporting

We have a documented incident response process with clear escalation paths and stakeholder notification timelines. For vendor reviews, request the full incident response plan through the Contact form.

Accessibility statement

Our WCAG 2.2 AA commitment

We design and build to WCAG 2.2 AA. That includes color contrast, visible focus rings, logical heading structure, descriptive labels on all form controls, and support for screen readers and keyboard-only navigation. We never trap focus or block the back button.

We test with automated tools such as axe and pa11y as part of the CI pipeline. We also run manual reviews on representative flows before every significant release. Our Accessibility Technologies brand provides specialized WCAG audit services at accessibilitytechnologies.com.

If you find a barrier on any page, use the Contact form and choose General. Tell us the page URL, the action you were trying to take, and the assistive technology or browser you were using. We track issues internally, fix them with priority based on severity, and confirm resolution with the reporter.

We are tracking WCAG 3.0 development but are not blocking shipping on it. Our current baseline is WCAG 2.2 AA. We will publish a plan for 3.0 adoption when the standard reaches a stable state.

Report an accessibility barrier
Accessibility engineer reviewing WCAG compliance on a screen reader and keyboard

Post-quantum readiness

Our approach to the quantum security transition

Cryptography inventory

We maintain an inventory of cryptographic algorithms and key management practices across services. This is the foundation for planning a migration to post-quantum algorithms when standards stabilize.

NIST and IBM guidance

We track NIST post-quantum standards and IBM roadmap guidance. The major cryptography transition is projected for the early to mid 2030s. We are in the inventory and planning phase, not the emergency response phase.

No hot patches

We avoid rushed algorithm changes. Cryptography migrations are tested in safe environments before any production rollout. We publish a timeline and choices for clients who host infrastructure with us.

Client communication

Clients who have specific post-quantum requirements due to regulatory mandates can request our current cryptography statement and inventory summary through the Contact form using the Security and privacy topic.

Vendor reviews and audits

How security reviews and vendor questionnaires work

1

Submit through Contact form

Use the Contact form and choose Security and privacy. Attach your questionnaire or describe your review requirements. We confirm receipt within one business day.

2

Review standard documentation

We share standard documents that describe controls, processes, architecture, and policy. Most questionnaires can be completed with these materials without additional calls.

3

Address custom requirements

For reviews that need items beyond standard documentation, we work through a short plan with dates and named owners. We do not rush security review responses.

4

Follow-up and sign-off

We track open questions to closure and provide written confirmation when all items are addressed. We keep a record for our own audit purposes.

All legal and compliance documents are maintained in the Legal hub. Each document is written in plain language and updated when policies change.

Privacy Policy

How we collect, use, store, and protect personal data. Explains your rights and how to exercise them.

Terms of Use

The terms that govern use of kosansh.com and its brand hubs. Written in plain language.

Cookie Policy

What cookies and similar technologies we use, why, and how to manage your preferences.

Subprocessors

The list of third-party service providers we use to process personal data in delivering services.

Acceptable Use

Permitted and prohibited uses of our platforms, tools, and services. Applies to all users.