Security & governance

Fleet governance, not just observability.

Permissions by owner and group, encryption by design, immutable audit and operational practices to keep a fleet healthy. This page describes Kordana's product controls; it does not replace formal assessments or certifications.

01·Every object has a human owner

The chain of responsibility is part of the data model.

Unit

A named human owner for every agent. There is no unit without an accountable person.

Group

Every node in the tree — domain, customer, process — has a human owner.

Policy

Budgets and rules inherit down the tree; the most specific policy wins and restrictions never relax.

02·Permission model

Roles with explicit scope, inherited through the group tree.

Permissions operate on units and groups, not on screens. A supervisor for one group cannot touch units in another; an auditor reads everything but executes nothing. Role changes are audited events.

RoleScopeCan
Unit ownerUnitEdit the role, adjust limits, approve escalations, retire the unit.
Group ownerGroup and descendantsApprove onboarding, move units between groups, set budgets, order a freeze.
Operational supervisorAssigned groupStop / play, take cases from the inbox, execute handoff, open incidents.
AuditorFull readQuery the immutable log, export reports, verify retirement certificates.
Platform administratorTenantManage SSO, roles, connectors and global policies. No access to operational data.

Enterprise SSO and SCIM provisioning planned for tenants with centralized identity requirements. Check availability on your plan.

03·Identity and access

Its own non-human identity per unit.

Never a borrowed human credential. Each unit gets its NHI with a rotation date. The access profile is registered structurally in Design — system, permission, justification, approver — and used as the contract for provisioning and revocation.

  • · Provisioning against a profile approved by the owners of the accessed systems.
  • · Versioned credential rotation per unit.
  • · Automatic revocation verified against the source profile.

Retirement certificate

Verified retirement

No certificate, no retirement. The phase that eliminates zombie agents.

  • Credentials revoked
  • Access closed
  • Orphan work = 0
  • Full archive

Target: 100% of units retired with a certificate. Live credentials post-retirement: 0.

04·Encryption by design

Data protected in transit, at rest, and in the vault.

Kordana doesn't ask you to take our word for it: the cryptographic controls are part of the product architecture. This description reflects the service implementation and is not an independent certification.

In transit

TLS 1.2+ between browser, APIs, connectors and integrated frameworks. HSTS enabled on the domain.

At rest

AES-256 encryption managed by the infrastructure provider. Volumes, snapshots and backups included.

Secrets and NHI

Unit credentials and connector tokens live in a dedicated vault, with versioned rotation per unit.

Tenant isolation

Logical data segregation per organization and row-level access controls for owners and groups.

05·Immutable audit

Actor, action, object, timestamp, justification.

Every control action is written to the log, no exceptions — including those taken by automated policies.

TimestampActorActionObjectJustification
10:42:03Ana Pérez · SupervisorSTOPunit/collections-latam-07Spend threshold exceeded
10:44:11Policy · budget-latamDEGRADEgroup/collections-latamDaily budget at 95%
11:02:37Ana Pérez · SupervisorAPPROVEcase/esc-8821Context verified with customer

06·Operational best practices

Six rules to keep the fleet from getting away from you.

Practices we recommend to teams operating agents in Kordana. They align with the data model and the product's levers.

01

Least privilege by default

Every unit starts with the narrowest possible access profile. Expanding it requires the owner of the accessed system to approve.

02

Conservative limits at onboarding

Budget, hours and action caps default to conservative during probation. They relax once the unit graduates.

03

Freeze before hotfix

When in doubt, pause the unit or the group. A freeze costs less than a deviation in flight.

04

Quarterly access review

Revalidate owners, live credentials and profiles against connected systems. Scheduled NHI rotation.

05

Postmortem per formal incident

Every incident closes with findings linked to the unit and the next role version.

06

Retirement with a certificate, always

Without a retirement certificate there is no closure. The only way to eliminate zombie agents at scale.

Anti-pattern we eliminate

Zombie agent

A unit informally retired that keeps live credentials or access. Phase 6 — verified retirement with a certificate — is exactly what eliminates it.

07·Integration levels

The level decides what can be governed.

  • L0

    Inventoried

    Exists with an owner and a group

  • L1

    Observed

    Telemetry, health, alerts, scorecards

  • L2

    Controlled

    Stop/play, limits, structured handoff

  • L3

    Managed

    Full lifecycle, verified retirement

L2 enables operational control. L3 enables the full lifecycle with verified retirement.

08·Security contact

Found something? Write to us.

Report vulnerabilities or incidents to security@kordana.ai. We acknowledge within one business day.

Raise the level at your pace.

Start free by inventorying. Move up to observation, control or management unit by unit.