Security & Compliance
KLogic is designed security-first. From transport encryption and strong authentication to fine-grained access control and immutable audit trails, every layer of the platform is built to meet enterprise security and compliance requirements.
Data Security
Your Kafka metadata and metrics are protected at every layer
Encryption Everywhere
TLS 1.3 for All Connections
All traffic between KLogic components, browsers, and Kafka clusters is encrypted with TLS 1.3. Older TLS versions are rejected.
AES-256 Encryption at Rest
All data stored in KLogic databases — metrics, configurations, credentials — is encrypted at rest using AES-256.
Credential Vault
Kafka cluster credentials and API keys are stored in an encrypted vault — never written to application logs or exposed in API responses.
No Message Content Storage
KLogic stores metrics and metadata only. Message payloads viewed in the topic browser are streamed directly from your Kafka cluster and never persisted in KLogic storage.
Kafka Connection Security
SSL/TLS
Mutual TLS with custom CA certificate support
SASL/PLAIN
Username/password authentication over TLS
SASL/SCRAM-256
Salted challenge-response authentication
SASL/SCRAM-512
SHA-512 SCRAM with salted credentials
SASL/OAUTHBEARER
OAuth2 bearer token delegation to Kafka
AWS IAM (MSK)
IAM role-based authentication for Amazon MSK
Authentication
Multiple authentication methods designed to integrate with your existing identity infrastructure
Username & Password
Standard credential-based authentication with bcrypt hashing. Enforced minimum password complexity and optional expiration policies.
Two-Factor Authentication (2FA)
TOTP-based 2FA with authenticator app support. Administrators can mandate 2FA for all workspace members.
SSO via SAML 2.0 / OIDC
Single sign-on integration with your existing identity provider — Okta, Azure AD, Google Workspace, and any SAML 2.0 or OIDC-compatible IdP.
API Key Authentication
Scoped API keys for programmatic access with configurable permissions, expiry dates, and zero-downtime rotation support.
OAuth2 / JWT Tokens
Short-lived JWT tokens issued after authentication. Token rotation and revocation are supported for both user sessions and service accounts.
Service Accounts
Create dedicated service account identities for CI/CD pipelines and automation with separate credential lifecycles from human users.
Access Control
Fine-grained RBAC and workspace isolation for teams of any size
Role-Based Access Control
Workspace Isolation
Each workspace is a fully isolated environment — data, users, and configurations are never shared across workspace boundaries
Three-Tier RBAC
Admin (full control), Operator (monitoring and alerting), and Viewer (read-only) roles assignable per workspace member
Cluster-Level Access
Restrict individual users to specific clusters within a workspace — useful for multi-team environments with separate production access policies
IP Allowlisting
Restrict workspace access to specific IP ranges or CIDR blocks for an additional network-layer security control
Role Capabilities
| Capability | Viewer | Operator | Admin |
|---|---|---|---|
| View dashboards | |||
| Browse messages | |||
| Manage alert rules | — | ||
| Manage watchdog rules | — | ||
| Restart connectors | — | ||
| Manage clusters | — | — | |
| Manage users & roles | — | — | |
| Generate API keys | — | — |
Infrastructure Security
Hardened infrastructure with defense-in-depth controls
Network Isolation
- Services deployed in isolated VPCs with no direct public internet access
- Strict security group rules with least-privilege ingress/egress
- Internal service communication over private networks only
Vulnerability Management
- Automated dependency scanning on every build with SCA tooling
- Container images scanned for known CVEs before deployment
- Regular penetration testing by third-party security firms
Incident Response
- Documented incident response plan with defined RTO/RPO targets
- Automated anomaly detection on platform infrastructure metrics
- 24/7 on-call rotation for severity-1 security incidents
Data Residency
- Choose data residency region: US, EU, or APAC
- Self-hosted deployment option for full data sovereignty
- Data never leaves your selected region without explicit consent
Compliance
Controls and documentation to support your compliance obligations
SOC2 Readiness
KLogic's security controls are aligned with the SOC2 Trust Services Criteria. Security questionnaires and evidence packages are available to enterprise customers upon request.
GDPR Compliance
EU data residency option, data processing agreements (DPAs) available, right-to-erasure supported, and sub-processor list maintained and published.
HIPAA Considerations
Self-hosted deployment and enterprise tier customers can execute a Business Associate Agreement (BAA) for workloads involving protected health information.
Audit Logging
Immutable Audit Trail
Every user action — login, configuration change, alert rule update, API access — is recorded in an append-only audit log
Structured Log Format
Audit events are structured JSON with actor identity, timestamp, resource, action, and outcome — ready for SIEM ingestion
90-Day Retention
Audit logs retained for 90 days by default, with extended retention available for compliance-regulated workloads
Export & SIEM Integration
Stream audit logs to your SIEM via webhook or export as JSON/CSV for compliance reporting and forensic investigation
Security Questions? Talk to Our Team.
Our security team is available to answer detailed questions, provide evidence packages for vendor assessments, and work through architecture reviews for regulated industries.
Security questionnaires and SOC2 reports available for enterprise customers