How we protect the information we review.
A firm that reviews cybersecurity and AI should be able to explain how it handles access, data, evidence, retention and tools.
Baseline principle
Kronixial requests only the evidence needed for the contracted scope and only for the necessary time. We do not request credentials, logs or sensitive documents without authorization and context.
- NDA and SOW before sensitive evidence.
- Separate folders by client.
- Least privilege and temporary access.
- No reuse of client evidence.
Security contact
For security reports, brand abuse or information handling questions:
This package also includes a security.txt file.
Access control
MFA for critical accounts, password manager, least privilege, temporary access and client separation.
Data handling
Minimization, separated folders, no evidence sharing through informal channels and third-party control.
Retention
Retention is defined in the SOW. Evidence may be deleted, returned or retained for an agreed period.
AI use
We do not send sensitive client data to public AI tools without explicit authorization and controls.
Secrets
Credentials, tokens and keys should not travel by email or chats. They are handled through vaults or agreed mechanisms.
Subprocessors
Email, storage, signature, CRM or project tools are documented when the engagement requires it.
| Vendor review question | Kronixial suggested answer |
|---|---|
| Do you use MFA? | Yes, MFA is required for critical accounts and internal tools. |
| How do you handle client data? | Through scope, minimization, separated folders and defined retention. |
| Do you use AI with client data? | Not by default. It requires explicit authorization and removal of sensitive data where applicable. |
| Can you delete evidence at closure? | Yes, according to the SOW and continuity, legal or audit needs. |