/security/controls is the buyer-grade companion to the high-level /security page. It enumerates every AICPA Trust Services Criterion in the Common Criteria (CC1 through CC9) plus the Confidentiality additional category, each annotated with:
- **The criterion itself**, in plain language. - **The Kodori implementation** — what we actually do to satisfy it, in concrete terms. - **Evidence** — where to look in the running product (page URL, table name, source-file path, or external subprocessor report). - **Status** — Live today / Roadmap / On audit engagement. 36 controls in total.
Designed for the prospect's security-review packet:
1. **Hand it to your auditor before the contract.** Every "Live today" row is verifiable against the running product before a single dollar changes hands. 2. **Pre-fills the security questionnaire.** Most CAIQ-LITE / SIG-CORE / SOC 2 readiness questionnaires map back to the Common Criteria. The page is structured so the buyer's security team can copy-paste the Kodori implementation column directly into their questionnaire response. 3. **Honest about what isn't done.** "Roadmap" and "On audit engagement" tags mark controls that aren't fully implemented yet — typically the formal documentation pieces (incident response runbook, third-party penetration test report) that activate alongside the SOC 2 Type I auditor engagement (currently `audit-pending` per the cert table — substrate ready, gated on revenue / funding rather than substrate readiness).
The /security page (high-level posture) and the certifications cert table (current statuses) are linked from the controls page header so a buyer can navigate the three views naturally. The internal security policy set lives at /security/policies; CAIQ-LITE pre-filled on request.
Need the full DPA, sub-processor list, or current security questionnaire? Email security@kumokodo.ai.