Compliance, built
into every platform
Every product we ship is engineered in alignment with PCI DSS, ISO 27001, SBP, and AML/CTF frameworks. Our compliance posture is documented, reviewed, and audit-ready.
Standards
4 tracked
Target SLA
99.9%
Encryption
AES-256
Audit cadence
Annual
One Baseline. Every Platform
Karsaaz operates a single, documented control plane — the same security and compliance standards apply across every product, every deployment, and every customer engagement.
Encryption
AES-256
at-rest · TLS 1.3 in transit
Architecture
Multi-AZ
high-availability ready
Target MTTR (P1)
< 1 hour
response framework live
Data residency
PK default
region-locked option
Six Standards One Framework
Our compliance roadmap covers the standards our partners and clients rely on.
PCI-DSS Level 1
QSA-led audit in progress. Target: Q3 2026 · annual cycle.
27001
ISO/IEC 27001
Gap analysis complete · ISMS implementation underway. Target: Q4 2026 · 3yr cycle.
Type II
SOC 2
SOC 2 Type II
Readiness planning underway. Target: Q1 2027 · annual cycle.
SBP
SBP-aligned
Controls aligned with BPRD, PRISM, and EIFD frameworks. Reviewed annually.
AML / CTF
Sanctions, PEP screening, and transaction monitoring built in. FATF-aligned.
CAIQ · SIG-Lite
Vendor assessment packs available under NDA. On request.
Defense in depth,
by design
Six steps Always on
Continuous
Controls drift tracked through internal monitoring.
Quarterly
Internal review and evidence consolidation.
Pre-audit
Auditor walkthrough and gap closure.
Audit window
2–6 weeks · evidence retrieval and Q&A.
Attestation
Report issued and shared with clients under NDA.
Re-attest
Annual cycle · continuous improvement goal.
Governance Matrix
| CONTROL DOMAIN | STANDARD | VERIFICATION DETAIL | CADENCE | STATUS |
|---|---|---|---|---|
| Data residency | SBP / GDPR | Geofencing & Storage Localization | Continuous | ACTIVE |
| Encryption | FIPS 140-2 | AES-256 Key Rotation Verification | Daily | ACTIVE |
| Access control | ISO 27001 | User access reviews & mFA logs | Monthly | ACTIVE |
| Audit logging | PCI DSS | Immutability checks & Retention | Continuous | ACTIVE |
| Vulnerability mgmt | SOC 2 | Scanning & Remediation Timelines | Weekly | ACTIVE |
| BCP / DR | ISO 27001 | Failover testing & RPO/RTO validation | Annual | ACTIVE |
| Vendor risk | SIG-Lite | Third-party assessment reports | Annual | ACTIVE |
| Incident response | AML / CTF | Runbook testing & Disclosure logs | Quarterly | ACTIVE |
Eight controls, one stack.
Tokenisation
Sensitive data replaced with non-reversible tokens.
Key management
Hardware-backed lifecycle management for secrets.
Network isolation
Complete environment segregation by default.
Secret rotation
Automated credential updates without downtime.
Tamper-evident logs
Cryptographically signed audit trails for integrity.
Anomaly detection
AI-driven behavior analysis across infra logs.
Access reviews
Just-in-time access with mandatory peer reviews.
Drift detection
Automated infra remediation for baseline drift.
PCI-DSS L1, ISO 27001, SOC 2 Type II, SBP-aligned, AML/CTF-aligned. Active audits and targets are published in our compliance roadmap.
Yes — NDA + DPA executed within 24 hours. Pack includes CAIQ, SIG-Lite responses, architecture overview, and current attestation status.
Per-tenant keys, residency-locked deployments, and RBAC enforced at application and data layers.
P1 incidents are disclosed within 24 hours via the status page. Detailed post-mortems are shared with affected clients within 5 business days.
EU-corridor support is available on request. A DPA with Standard Contractual Clauses is provided on engagement.
The customer. Evidence packs are exported at each milestone for client retention.