Security Is Foundational.
Enterprise procurement teams and auditors — everything you need to evaluate our security posture, compliance certifications, and data handling commitments.
Certifications & Standards
Our security and data handling practices are certified and aligned with industry-recognized frameworks.
ISO/IEC 27001:2022
Certified information security management system — independently audited with annual reviews, risk assessments, and mandatory security training for all personnel.
CertifiedGDPR
Full compliance with the General Data Protection Regulation including data subject rights, breach notification, DPO oversight, and Article 28 data processing terms.
ActiveSOC 2 Type II
Enterprise-grade controls for security, availability, and confidentiality — building on existing ISO 27001 controls mapped to Trust Services Criteria.
Target Q2 202625 Verifiable Controls
Granular security controls across infrastructure, organizational, product, and operational domains — each with a verifiable statement.
Infrastructure Security
Cloud hosting, encryption, network isolation, and backup controls.
Cloud Hosting
All production workloads hosted on Microsoft Azure with ISO 27001 and SOC 2 certified data centers.
Network Isolation
Virtual network segmentation with no public IP addresses on application servers; all traffic routed through Azure Front Door.
Encryption at Rest
All data encrypted at rest using AES-256 via Azure Storage Service Encryption and Azure SQL TDE.
Encryption in Transit
All communications encrypted with TLS 1.2+ minimum; HSTS enforced with 1-year max-age.
Key Management
Encryption keys managed via Azure Key Vault with HSM-backed keys and quarterly rotation.
DDoS Protection
Azure DDoS Protection Standard enabled on all public endpoints with auto-mitigation.
Geo-Redundant Backups
Automated daily backups with geo-redundant storage; 30-day retention with point-in-time restore.
Infrastructure as Code
All infrastructure provisioned via Terraform/Bicep with version-controlled state and PR-gated deployments.
Organizational Security
Policies, training, insurance, and access governance.
Security Training
All personnel complete annual security awareness training with tracked completion rates.
Background Checks
Pre-employment background verification conducted for all staff with access to production systems.
Access Reviews
Quarterly access reviews conducted across all systems with documented approvals and revocations.
Acceptable Use Policy
Enforced acceptable use policy covering devices, data handling, and third-party tool usage.
Cybersecurity Insurance
Active cyber liability insurance policy covering data breach, ransomware, and business interruption.
Product Security
Authentication, authorization, logging, and code-level protections.
Authentication
Multi-factor authentication (MFA) enforced for all user accounts; SSO via Azure AD supported.
Role-Based Access Control
Granular RBAC with project-level, discipline-level, and document-level permissions; principle of least privilege enforced.
Privileged Identity Management
Just-in-time elevated access via Azure PIM; all admin actions logged with approval workflows.
Session Management
Automatic session timeout after 30 minutes of inactivity; concurrent session limits enforced.
Audit Logging
All data access, modifications, and administrative actions logged with user identity, timestamp, and IP; logs retained for 12 months.
Input Validation
Server-side input validation on all API endpoints; parameterized queries prevent SQL injection.
Dependency Scanning
Automated dependency vulnerability scanning via Snyk/Dependabot on every PR with blocking on critical CVEs.
Operational Security
Change management, vulnerability scanning, monitoring, and testing.
Change Management
All production changes go through documented change management with peer review and staged rollout.
Vulnerability Management
Monthly vulnerability scans on all production infrastructure; critical findings remediated within 72 hours.
Penetration Testing
Annual third-party penetration testing conducted by an independent security firm; findings tracked to closure.
Monitoring & Alerting
24/7 monitoring via Azure Monitor and Application Insights; automated alerts for anomalies with on-call rotation.
Configuration Management
Maintained configuration baseline for all production systems; drift detection enabled.
How We Operate
From code to cloud — the practices that keep your data safe across the entire development and operations lifecycle.
Secure Development Lifecycle (SDLC)
Code reviews mandatory on all pull requests. Static analysis (ESLint security rules, SonarQube) runs on every commit. Staging environment mirrors production for pre-release validation. No direct commits to main — all changes go through protected branches with CI/CD gates.
Vulnerability Management
Monthly automated scans across all production infrastructure (Azure Security Center). Dependency scanning on every PR (Snyk/Dependabot). Critical CVEs remediated within 72 hours. Medium within 30 days. All findings tracked in a risk register with assigned owners.
Business Continuity & Disaster Recovery
Documented BCP and DR plans tested annually. RPO: 1 hour (geo-redundant backups). RTO: 4 hours (automated failover). Runbooks maintained for all critical services with defined escalation paths.
Employee Security Training
Annual security awareness training for all personnel (phishing simulations, data handling, incident reporting). Role-specific training for developers (OWASP Top 10, secure coding) and ops (cloud security, access management). Completion tracked and enforced.
Vendor Risk Management
All third-party vendors assessed for security posture before onboarding. Annual reassessment of critical vendors. Vendors must demonstrate SOC 2 or ISO 27001 compliance. Data processing agreements in place for all sub-processors per GDPR Article 28.
Our Commitments to Your Data
Six non-negotiable promises that govern how we handle every byte of your project data.
Structured Response, Defined SLAs
A 6-phase incident response lifecycle with severity-based SLAs and transparent client communication.
Automated monitoring detects anomalies via Azure Monitor, Application Insights, and Security Center alerts. Users can also report incidents via support channels.
Incidents classified by severity (P1–P4) within the acknowledgement SLA. Initial impact assessment and team assignment.
Immediate actions to limit blast radius: isolate affected systems, revoke compromised credentials, block malicious IPs.
Root cause identified and eliminated. Affected systems patched, hardened, or rebuilt as needed.
Services restored from clean backups or failover. Validation testing before full restoration. Monitoring intensified for 72 hours post-recovery.
Blameless post-mortem conducted within 5 business days. Root cause analysis published. Corrective actions tracked to completion in risk register.
Severity-Based SLAs
| Severity | Definition | Acknowledge | Contain | Eradicate | Recover | Client Notification |
|---|---|---|---|---|---|---|
| P1 — Critical | Data breach, complete service outage, or active exploitation | 15 minutes | 1 hour | 8 hours | 24 hours | Within 1 hour of confirmation |
| P2 — High | Partial service degradation, potential data exposure, or high-severity vulnerability | 30 minutes | 2 hours | 24 hours | 48 hours | Within 4 hours |
| P3 — Medium | Non-critical system issue, low-risk vulnerability, or policy deviation | 4 hours | 24 hours | 5 business days | 10 business days | Next scheduled update |
| P4 — Low | Informational, cosmetic, or improvement-category findings | 1 business day | N/A | 30 business days | N/A | Quarterly report |
Communication Protocols
P1/P2 Incidents
Direct email notification to designated client security contacts within the SLA window. Status updates every 2 hours until resolved.
Monthly Security Digest
Summary of all incidents (redacted), control changes, and compliance updates sent to client security contacts.
Post-Mortem Reports
Post-incident reports available in the Trust Center vault for P1/P2 incidents within 10 business days.
Data Residency & Sovereignty
Choose your deployment region. Your data stays where you need it — guaranteed by contract.
Contractual Guarantees
Production data is never replicated outside the contracted Azure region without explicit written consent.
Data residency region is specified in the contract and can be changed upon mutual agreement.
Where data crosses borders (e.g., for AI processing), Standard Contractual Clauses (SCCs) are in place per GDPR Chapter V.
Clients have the right to audit data location compliance, either directly or through an appointed third-party auditor.
Infrastructure Partners
Third-party services that process data on behalf of the platform, disclosed for GDPR transparency.
| Vendor | Purpose | Data Location | Encryption | Compliance |
|---|---|---|---|---|
| Microsoft Azure | Cloud hosting, compute, storage, database, identity | West Europe (Netherlands), Southeast Asia (Singapore) — negotiable per contract | AES-256 at rest, TLS 1.2+ in transit | ISO 27001SOC 2 Type IIGDPR |
| MongoDB Atlas | Document database (metadata, configurations) | Azure-hosted, same region as primary workload | AES-256 at rest, TLS 1.2+ in transit, client-side field-level encryption available | ISO 27001SOC 2 Type IIHIPAAGDPR |
| Google Cloud Platform | AI/ML services (Gemini, Vertex AI), analytics | US Multi-region — data processed ephemerally, not stored | TLS 1.3 in transit, encryption at rest for any cached data | ISO 27001SOC 2 Type IIGDPR |
| Autodesk Platform Services | 3D model translation and viewing (Forge/APS) | US-based processing; translated derivatives stored in Azure | TLS 1.2+ in transit, AES-256 at rest | SOC 2 Type IIISO 27001 |
| Cloudflare | CDN, DDoS protection, WAF, DNS | Global edge network — no data stored, pass-through only | TLS 1.3 in transit, no data at rest | ISO 27001SOC 2 Type IIGDPR |
| Twilio SendGrid | Transactional email delivery (notifications, reports) | US-based processing; email metadata retained per SendGrid policy | TLS in transit | SOC 2 Type IIGDPR |
Sub-processor list updated quarterly. Material changes communicated to clients 30 days in advance per our DPA terms.
Where We're Headed
Current certifications and planned framework adoption — our multi-year compliance trajectory.
Independently audited ISMS. Annual surveillance audits.
2024Full compliance including DPO oversight and Article 28 DPA terms.
2024Trust Services Criteria mapped from ISO 27001 controls. Audit engagement underway.
Q2 2026Business continuity management system alignment under evaluation.
2027Evaluating applicability for healthcare infrastructure clients.
TBDUnder consideration for clients processing payment card data.
TBDLast updated: 2026-03-07
Full Compliance Documentation
Request access to our Trust Center vault — ISO 27001 certificate, penetration test summary, DPA template, security architecture overview, and BCP documentation.
Request Access →Security & Compliance FAQ
Is Konnect xD secure?
Yes — Konnect xD implements encryption at rest and in transit, multi-factor authentication, role-based access control, and full GDPR compliance. The platform undergoes regular security updates and independent audits as part of our ISO 27001 certification.
Who owns the data?
You do. Twintech acts as the data custodian under clearly defined Controller/Processor roles (GDPR Article 28). Full data export is available at any time — no vendor lock-in, no data hostage.
Where is data stored?
Data is stored in secure Azure cloud environments that comply with ISO 27001 international security standards. Data residency location is negotiable per contract to meet your regulatory requirements — we offer regions in Europe, Asia-Pacific, Middle East, and Americas.
Does Konnect xD comply with GDPR?
Yes — full GDPR compliance including data subject rights (access, rectification, erasure, portability), breach notification within mandated timelines, and Data Protection Officer oversight. Our EULA includes comprehensive Article 28 data processing terms.
What happens to our data if we leave?
You receive a full data export in standard formats, after which all data is securely deleted from all servers. This process is documented in our data processing agreement.
Is there an audit trail?
Yes — all data access and modifications are logged with timestamps and user identifiers. Audit logs are retained for 12 months and reports are available on request for your compliance team.
What security controls does Konnect xD have?
We maintain 25+ security controls across four categories: Infrastructure (encryption, network isolation, DDoS protection), Organizational (training, background checks, access reviews), Product (MFA, RBAC, audit logging, input validation), and Operational (vulnerability scanning, pen testing, monitoring). All controls are reviewed quarterly.
What is your incident response process?
We follow a 6-phase incident response lifecycle: Detection, Triage & Classification, Containment, Eradication, Recovery, and Post-Incident Review. Critical incidents (P1) are acknowledged within 15 minutes with client notification within 1 hour. All P1/P2 incidents include blameless post-mortems.
Can we choose where our data is hosted?
Yes — we offer four Azure deployment regions: Europe (Netherlands), Asia-Pacific (Singapore), Middle East (Dubai), and Americas (Virginia). Your data residency region is specified in the contract and production data is never replicated outside the contracted region without explicit written consent.
How can we access compliance documentation?
Request access through our Trust Center vault at /trust/vault. Available documents include our ISO 27001 certificate, penetration test executive summary, DPA template, security architecture overview, business continuity plan summary, and sub-processor data flow map.
Powering Mega-Projects Worldwide
From FPSOs in Guyana to LNG in Canada — Konnect xD connects Asset Owners, EPC Contractors, and Construction Yards on a single digital thread.
Measured, Not Marketed
Every number here is from production. No inflated benchmarks, no hypothetical projections.
What Our Clients Say
Real feedback from construction directors and general managers running Konnect xD on live projects.
Konnect xD is one of the greatest and most exciting opportunity to improve what we do and land construction into the 21st century.
Konnect xD interfaces with a large number of our systems, both internal and external, and is able to act as a cornerstone for system integration, Konnect xD plays a critical role in getting all the data integrated, analysed and presented.
See the Platform
Explore how Konnect xD connects every layer of project execution — or start a guided pilot on your real project data.