title: "Security" slug: security awareness: most-aware internal: false description: "How Khorvad protects your agency data — encryption, access, residency, subprocessors, incident response." published: "2026-04-24" no_cta: true

Security

Elena, your Head of Strategy, will want to see this before she greenlights a Parallax Test upload. Marcus, your CEO, will forward it to whoever handles vendor security review. Both reads are the point — this page exists to let you make an informed decision without a sales call.

Plain-English sections first, subprocessor list and contact at the end.

Encryption

• In transit. TLS 1.3 on every public endpoint (khorvad.com, transactional.khorvad.com, booking surfaces). HSTS enabled with long max-age; old TLS versions and insecure ciphers are disabled at the edge.
• At rest. AES-256 for uploaded files in Cloudflare R2 and for database volumes in Neon. Backups are encrypted with separate keys; key rotation policy is documented in the operations runbook.
• Key management. [PLACEHOLDER — counsel review]: Isolated Tier supports Bring Your Own Key (BYOK) via a customer-controlled KMS. Default tiers use provider-managed keys.

Access

During the Founding Cohort phase, uploaded agency data is read by the founder only. No junior analysts, no offshore reviewers, no third-party labeling teams. Production infrastructure access is similarly founder-scoped.

Post-calibration, read access expands only to the automated pipelines that run your twin. Human access remains founder-scoped until the engineering team grows; any expansion will be reflected in a dated change note on this page before it takes effect.

All administrative access uses hardware-key MFA. Workstation access uses full-disk encryption and a screen-lock policy measured in seconds, not minutes.

Data residency

• Default. Neon Postgres and Cloudflare R2 in US-east regions.
• Isolated Tier. Frankfurt residency for EU-resident customers, under a signed Data Processing Agreement. No cross-region replication without written consent.

[PLACEHOLDER — counsel review]: schedule of subprocessors and regions will be pinned to the DPA addendum at launch.

Subprocessors

We use a short, vetted list. Each is contracted under written terms restricting use of your data to the service they provide.

• Cloudflare — object storage (R2), CDN, WAF, bot management.
• Resend — transactional email via transactional.khorvad.com.
• Cal.com (self-hosted on our infrastructure) — booking and qualifying-question capture.
• Neon — managed Postgres.
• PostHog / Umami / Plausible — cookieless product and page analytics.
• Sentry / GlitchTip — error monitoring, stack traces only (no form payloads).
• Vercel — marketing-site hosting for the public pages.

Subprocessor changes will be announced on this page with at least 30 days' notice for customers under an active DPA. [PLACEHOLDER — counsel review]: notification timing may change based on DPA template.

No cross-agency training

Your data is never used to train a model that serves another agency. One agency, one twin. The architecture enforces this — it is not a marketing promise.

Benchmark Mode is the only cross-agency surface we operate. It draws exclusively from a Khorvad-authored pattern library — our own written teardowns, not your data. Turning Benchmark Mode on for your twin does not expose your data to anyone else's twin.

Incident response

[PLACEHOLDER — counsel review]: target 72-hour notification for confirmed security incidents affecting your data, via email to the contacts you designate on the Parallax Test intake. Final notification timing will land with counsel sign-off and may be tightened below 72 hours for customers under a DPA.

Our incident response runbook covers containment, eradication, customer notification, and post-incident review. The runbook is internal; a summary is available on request under NDA.

Vulnerability disclosure

Security researchers are welcome to report findings to security@khorvad.com. We do not pursue good-faith security research. PGP key available on request.

Current scope: khorvad.com, transactional.khorvad.com, self-hosted Cal.com, and any infrastructure documented in the public operations runbook. Out of scope: subprocessor-operated surfaces (report those directly to the subprocessor).

Compliance posture

[PLACEHOLDER — pending signal-legal-compliance roadmap]: SOC 2 Type II is on the roadmap post-launch. GDPR and CCPA obligations are met via the practices documented on this page plus the DPA for customers who require one.

We do not claim certifications we do not hold. The roadmap will be published on this page as it is scoped.

Contact

• Vulnerability disclosure: security@khorvad.com
• DPA requests: dpa@khorvad.com
• General security questions: legal@khorvad.com