KostKube
Start Free Trial
🔒

Security at KostKube

We understand that connecting any external tool to your Kubernetes cluster requires trust. Here is exactly how we earn and protect that trust.

Infrastructure Security

🏢

Cloud Infrastructure

  • Hosted on Amazon Web Services (AWS)
  • Primary region: US-East-1 (Northern Virginia)
  • EU data residency available on Business and Enterprise plans (AWS EU-West-1, Ireland)
  • AWS VPC isolation with private subnets for data services
  • AWS WAF for web application firewall protection
🔐

Encryption

  • TLS 1.3 for all data in transit (Agent to cloud, browser to app)
  • AES-256 encryption for all data at rest
  • Encrypted database volumes (AWS KMS-managed keys)
  • Encrypted backups with key rotation
  • TLS certificate management via AWS Certificate Manager

Agent Security

The KostKube Agent is the only component that runs in your environment. Its security design was our first and highest priority. The Agent is open source — every security property described here can be independently verified by reviewing the source code.

RBAC & Permissions

  • Read-only ClusterRole — no write, update, delete, or patch permissions
  • Scoped to only the API resources needed: nodes, pods, namespaces, persistentvolumes
  • Explicitly no access to Secrets, ConfigMaps, or ServiceAccounts
  • Dedicated ServiceAccount with minimal token permissions
  • Deployed in its own namespace (kostkube-system) for isolation

Data Collected by Agent

The Agent collects ONLY:

  • CPU/memory request and usage metrics per pod/node
  • Storage utilization for Persistent Volumes
  • Kubernetes resource names and labels
  • Node instance type and region metadata

The Agent does NOT collect:

  • Secrets, tokens, or credentials of any kind
  • Application logs or container output
  • Network traffic content
  • Environment variable values

Authentication & Access Control

Platform Authentication

  • JWT (JSON Web Tokens) for session management with short expiry
  • Passwords hashed with bcrypt (cost factor 12+)
  • SSO via Google Workspace, GitHub, and SAML 2.0 (Business+ plans)
  • Brute-force protection with rate limiting on login attempts
  • HTTPS-only — all HTTP requests redirected to HTTPS

Data Isolation

  • Logical data isolation per customer in all data queries
  • Customer data partitioned by tenant ID at the database layer
  • No cross-customer data leakage by architectural design
  • Role-based access within your account: Admin, Editor, Viewer
  • Audit log of all user actions within the platform

Compliance

📋

SOC 2 Type II

In Progress

We are currently undergoing our SOC 2 Type II audit, which covers security, availability, and confidentiality. We expect to receive our report within the next 12 months. Evidence packages are available to Enterprise customers on request.

🇪🇺

GDPR

Compliant

We are GDPR compliant. EU data residency is available on Business and Enterprise plans. We act as a Data Processor for your infrastructure metrics. A Data Processing Agreement (DPA) is available on request at support@kostkube.com.

🇺🇸

CCPA

Compliant

We are CCPA compliant. We do not sell or share California residents' personal information. You have the right to know, delete, and opt out. See our Privacy Policy for details.

Security Testing & Operations

Penetration Testing

We plan to conduct annual third-party penetration tests of the KostKube platform and Agent. Penetration test results are reviewed by our team and critical findings are remediated before publication. Enterprise customers may request penetration test summary reports.

Incident Response

We maintain a documented incident response plan. In the event of a security incident that may affect your data, we will notify affected customers via email within 72 hours of becoming aware of the incident, consistent with GDPR notification requirements.

Dependency Management

We monitor all third-party dependencies used in the platform and Agent for known CVEs. Critical security patches are applied promptly. Agent releases are versioned and signed.

Employee Access

Access to production systems is restricted to authorized personnel on a need-to-know basis. All production access requires MFA. We maintain access logs for all production system interactions.

Responsible Disclosure

🔎

We take security vulnerabilities seriously and appreciate the work of security researchers who responsibly disclose issues to us. If you have discovered a security vulnerability in KostKube — including the platform, the Agent, or any related infrastructure — please report it to us before publicly disclosing it.

Security Contact

security@kostkube.com

Please use this email for security vulnerability reports only. For general support, use support@kostkube.com.

We commit to: acknowledging your report within 2 business days; keeping you informed of our investigation and remediation progress; not pursuing legal action against researchers who act in good faith; and giving credit to researchers who responsibly disclose valid vulnerabilities (unless you prefer to remain anonymous).

Have Security Questions?

We're happy to answer security questions, provide additional documentation, or arrange a security review call for Enterprise customers.

Contact Us