Security and responsible disclosure

KM0 Digital is operated by AMVARA CONSULTING S.L. We apply practices appropriate to a public marketing site and a self-hosted cloud platform:

• Encryption: HTTPS/TLS for km0digital.com and cloud.km0digital.com (Let's Encrypt certificates).
• HTTP security headers: including Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy where configured.
• EU infrastructure: hosting in Germany (Hetzner) with data processed primarily within the EU.
• Access control: least privilege for operational access; multi-factor authentication for internal systems where applicable.
• Development: protected main branch, code review, dependency monitoring, and documented operations in the technical blog.
• Backups and monitoring: operational backups and logging for reliability and incident response.

We do not claim SOC 2, HIPAA, CCPA compliance, penetration-test programmes, or third-party audits unless explicitly verified and published.

For privacy-related information, see our legal and privacy page.

AMVARA CONSULTING S.L. is certified to ISO/IEC 27001:2022 by TÜV NORD CERT. KM0 Digital and cloud.km0digital.com fall within AMVARA's certificate scope as part of its platform and associated cloud-native services.

KM0 Digital does not hold ISO 27001 certification under its own name. We design, deploy, and maintain KM0 under AMVARA's certified information security management system and follow those controls in our operations.

If you need the certificate, statement of applicability, or a security questionnaire, contact hello.yoel@amvara.de.

We welcome good-faith reports of security vulnerabilities affecting km0digital.com, cloud.km0digital.com, and related AMVARA-operated infrastructure for KM0.

Please do:

• Report vulnerabilities promptly to hello.yoel@amvara.de.
• Provide clear reproduction steps and impact assessment.
• Avoid accessing, modifying, deleting, or exfiltrating data that is not yours.
• Stop testing once a vulnerability is confirmed.
• Allow reasonable time for remediation before public disclosure.

Please do not:

• Conduct denial-of-service attacks.
• Use social engineering, phishing, spam, or physical attacks.
• Perform unauthorised data access or exfiltration.
• Run intrusive automated scanning of production without prior written approval.
• Attempt lateral movement, persistence, or public disclosure before we have had time to address the issue.

AMVARA will:

• Acknowledge valid reports.
• Investigate and communicate when appropriate.
• Remediate based on severity and risk.
• Not pursue legal action against researchers who follow this policy in good faith.

Security contact: hello.yoel@amvara.de. Machine-readable policy: /.well-known/security.txt.