Kinetiq supports your EHS and audit program with strong technical controls. We do not certify your compliance, and we hold no third-party attestation today. SOC 2 Type II is in progress on our side; happy to share current posture on a call.
Concept-level overview. The IT/Security Architecture Overview, available under NDA, walks through the specific mechanisms behind each control.
You get your own deployment, not a shared multi-tenant database. Regions offered: US (West US 2) and Canada (Canada Central). Other regions by quote. No shared infrastructure with other customers.
Industry-standard encryption on stored data and on every connection. Sensitive personal data gets an additional layer of field-level encryption on top of the database-level encryption.
Users sign in with their corporate Microsoft identity. Access is gated per module, not just per role, so a contractor foreman and a corporate safety director see different things by design. External auditors come in through a scoped guest pathway that closes when the audit window ends.
Every mutating action lands in a continuous audit log with the actor, the action, a redacted view of the change, and a per-request correlation ID. The regulator sees the record itself, not a story you tell.
What we will say in writing today, with nothing oversold.
| Multi-tenant? | No. Single-tenant Azure deployment per customer. No shared database, no shared application instance. |
|---|---|
| Data residency | United States (West US 2) or Canada (Canada Central), per the Order Form and Data Processing Agreement. Other regions by quote. |
| Encryption | AES-256 at rest. TLS 1.2+ in transit. Additional field-level encryption on sensitive personal data. |
| Identity / SSO | Microsoft Entra ID single sign-on. External auditors via scoped Entra B2B guest, time-bound to the audit window. |
| Access control | Module-level role-based access control. Custom access matrix available on Site Plus and Enterprise tiers. |
| Audit log | Continuous, append-only, tamper-evident audit ledger covering every mutating action. |
| SOC 2 Type II | SOC 2 Type II is in progress on our side; happy to share current posture on a call. |
| HIPAA | Not in scope. Kinetiq makes no HIPAA compliance claim. Strong technical controls on personal data exist, but Kinetiq is not a HIPAA-regulated product. |
| FedRAMP | Not in scope. |
| ISO 45001 | Kinetiq is not ISO 45001-certified. Use of Kinetiq does not confer ISO 45001 certification on your organization. |
| Third-party attestations | None held today. SOC 2 Type II is the active program of record. |
Microsoft Entra ID single sign-on, using your existing corporate identity. External auditors are invited through a scoped Entra B2B guest pathway that is time-bound to the audit window and closes automatically when it ends.
Single-tenant. Each customer gets a dedicated Azure deployment with a dedicated database and application instance. There is no shared multi-tenant database. Multi-tenant SaaS is not on the roadmap.
Yes. The Pulse field tablet is designed to operate without continuous connectivity on the frontlines. Records captured in the field sync back to the dashboard when connectivity returns. Wi-Fi dependence on the frontlines is not a precondition for using the platform.
Access is controlled at the module level, not just the role level. A contractor foreman can see incidents without seeing workers' comp claims. A welder can see the job safety analysis without seeing the broadcast queue. On Site Plus and Enterprise, the access matrix is customized to your organization.
In your single-tenant Azure deployment, in the region you contract for: United States (West US 2) or Canada (Canada Central). Object storage for media and documents lives in the same region behind private containers with short-lived, signed access. No public storage URLs.
Yes. We share an IT/Security Architecture Overview under NDA that covers authentication, authorization, data protection, transport, audit and observability, and secrets handling at the level of detail an IT or security team needs to clear a due-diligence review. Email [email protected] and we will send it.
For an IT or security due-diligence review, we share a detailed architecture and controls document under NDA. The public summary is available as a one-page overview.