Built for the people who'll be asked to defend the export.
Barristers and CISOs read this page. The summary is plain and the primitives below are deliberate. If something here matters to your assessment, write to [email protected].
Primitives
What the platform does.
Encryption at rest
Postgres data is encrypted at the storage layer; per-tenant secrets are sealed with envelope encryption.
Mandatory 2FA
TOTP enrolment is required before the operator surface unlocks. WebAuthn keys are supported as a second factor.
Audit hash chain
Append-only audit log; each entry includes the SHA-256 of the previous entry, so tampering is detectable end-to-end.
Signed evidence packs
Every export is signed with a long-term Ed25519 key; the public half is published below.
RIPA / IPA awareness
Capabilities that produce surveillance evidence are gated behind an active authorisation. Out-of-scope use is blocked, not just discouraged.
GDPR & ICO
K3K Intelligence is the data processor for operator data and the data controller for marketing-site enquiries. Both are covered under our ICO registration — ZB535305.
UK / EU data residency
Production data is hosted in UK and EU regions. We do not transfer operator data to non-adequate jurisdictions.
Independent inspector access
A read-only inspector role exposes the audit trail to authorised oversight bodies without granting operational access.
Disclosure
Evidence packs and the subjects that ride in them.
Court-ready PDFs ship with the audit chain head hash + first-break index baked into the cover, and subject identity is pseudonymised by default — two-person unmask required to surface real names.
Org controls
The settings that gate every action.
Mandatory 2FA, per-org IP allowlist, retention floor, protective-marking defaults — all configured in one place and enforced on every state-changing call.
Privacy-first M2M SIM connectivity
Privacy-first M2M SIMs. Not registered to an individual subscriber, no MSISDN, no retail-channel paper trail. Standard cellular-network metadata still applies (lawful intercept, etc.) — talk to us about your specific privacy threat model.
We don't claim “anonymous” — the cellular network still sees a SIM, an IMSI, and a base station. What the M2M-SIM purchase path removes is the consumer-facing attribution: there's no name on a phone bill, no SIM- registration form, no SMS endpoint exposed to attackers looking to harvest authentication codes. If your threat model needs more than that, write to [email protected] and we'll walk through it before you commit.
Responsible disclosure
We welcome reports from security researchers. Send findings to [email protected]. We acknowledge within two working days and target remediation SLAs by severity.
PGP fingerprint: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX(placeholder — replace with the published fingerprint)
Evidence-pack signing key
All evidence packs are signed by the K3K Intelligence Ed25519 long-term key. The public half is:
-----BEGIN PUBLIC KEY----- MCowBQYDK2VwAyEA3lMA… -----END PUBLIC KEY-----
Key id: c2c2623bb839a030
How to verify a signed evidence pack
Every evidence pack ships as a PDF plus a detached Ed25519 signature. Verification is one command — no platform login required, no internet round-trip, no proprietary tooling. Run this on the operator's laptop, counsel's laptop, or an independent inspector's machine; the answer is the same.
1. Download the verifier (one-time)
A 4 KB Node script with zero dependencies. Available alongside the pack download in the operator panel, or from the K3K release page.
2. Run it against the pack
node verify-evidence-pack.mjs case-12345.pdf case-12345.sig
3. Read the result
VERIFIED— the pack is intact and was signed by K3K Intelligence with the key published above. Any tampering with the PDF or the signature breaks verification.
The verifier compares against the public key embedded above — no need to fetch it separately. If we ever rotate the key we'll publish the new PEM here and announce the change in the security mailing list.
A note on abuse. If you believe a tracker on this platform is being used against you, please use the report abuse channel. It is reviewed within 24 hours, separately from security disclosures, and is not routed through the registered operator.