karta
Sign in Join the waitlist
// security

Security & Trust Center.

Last updated: 2026-06-25

This document summarizes the security, privacy, compliance, and shared-responsibility posture of the Karta platform operated by LifeSage LLC ("Karta," "we," "us") for business and developer customers ("Customer") and their procurement review. It is informational only. It is not a warranty, guarantee, service-level commitment, or representation, does not create any contractual obligation, and does not amend, expand, supersede, or form part of, and is not incorporated by reference into, the agreement between Karta and Customer (including any Order Form, Terms of Service, Data Processing Addendum, or Sub-processor List, together the "Agreement"), except to the extent the Agreement expressly incorporates it. In the event of any conflict, the Agreement controls. Capitalized terms used but not defined here have the meanings given in the Agreement. Karta describes its controls as designed to achieve the stated objectives; no control is represented as absolute, error-free, or guaranteed to prevent every threat.

This document is published for Customer and Customer's procurement review only. It confers no rights on, and creates no obligation to, any third party, including Customer's end users, Authorized Users, or any downstream party, none of whom is an intended third-party beneficiary of this document. No statement in this document is a representation or warranty on which any person may rely.

This document is a current description and may change. Statements about plans, targets, timelines, or future certifications (including any SOC 2 timeline) are forward-looking, are not commitments, and may change or be withdrawn without notice. Karta is the sole authority on its then-current posture; the most recent version published by Karta supersedes prior versions.

1. Current Compliance Status

Karta is not currently SOC 2 certified and has not yet begun a SOC 2 examination; Karta intends to begin pursuing SOC 2 Type I in Q4 2026. Karta does not currently represent SOC 2 Type I, SOC 2 Type II, SOC 3, ISO 27001, ISO 42001, PCI DSS, HIPAA, FedRAMP, or Data Privacy Framework certification or attestation. Any target date is a goal, not a commitment, and is subject to change.

Karta is not certified under the EU-U.S. Data Privacy Framework, the UK Extension, or the Swiss-U.S. Data Privacy Framework. Cross-border transfers are instead addressed by the contractual transfer mechanisms described in Section 6 and in the Agreement and Data Processing Addendum.

Karta does not currently offer a HIPAA Business Associate Agreement, and no Karta document or control should be relied on for HIPAA compliance, unless Karta has expressly agreed in writing. Karta does not provide a regulated-data pathway except as separately agreed in writing.

Karta does not currently make audit reports, penetration-test results, or completed security questionnaires publicly available. Where such materials exist, they are provided, if at all, only under the Agreement or a confidentiality agreement and at Karta's discretion.

2. Architecture and Data Location

Karta uses a two-plane architecture designed to separate account/administration data from agent runtime and content:

  • Control Plane: account, authentication, billing, organization, dashboard, and audit-log data, including the primary Postgres database, hosted in the United States (Hillsboro, Oregon) on Hetzner Online GmbH.
  • Data Plane: hosted agent session compute, the durable workspace/merge store, and the per-session and hosted-chat transcript database, hosted on Amazon Web Services in the us-east-1 region (United States).

Each agent session is designed to run in a per-session isolated runtime environment provided by the underlying managed agent runtime (AWS Bedrock AgentCore), with tenant and workspace partitioning intended to separate Customer and end-user contexts. Hosting locations, regions, and infrastructure reflect the platform's current configuration and may change as the platform evolves; Karta will reflect material changes through its Sub-processor List or other reasonable means. Karta does not currently offer customer-selectable data-residency regions unless separately agreed in writing.

Customer Content and End-User Data are retained and deleted or returned as set out in the Agreement and the Data Processing Addendum, which control; this Section does not create any retention, deletion, or return obligation beyond those instruments.

3. Security Controls

The controls below describe practices the platform is designed to implement. They are provided for transparency, are subject to change, and are not representations, warranties, or guarantees. Current controls are designed to include:

  • TLS encryption for Customer Data and End-User Data in transit;
  • encryption at rest for designated stores, including provider-managed encryption for cloud storage;
  • AES-256-GCM encryption for BYOK provider keys and designated secrets;
  • bcrypt hashing for API keys;
  • role-based access control (RBAC);
  • scoped API keys and publishable embed keys;
  • multi-factor authentication and passkey support, and step-up verification for sensitive actions;
  • audit logging for account and operator actions, designed to be append-only for designated events;
  • least-privilege operator access, designed to be restricted, logged, and separated from Customer account roles;
  • tenant and workspace partitioning and per-session runtime isolation;
  • dependency review and vulnerability management processes;
  • backup and recovery processes for designated control-plane data; and
  • operational health checks and an internal incident-response process.

This list is not exhaustive, describes the platform generally, and does not guarantee that any specific control applies to any specific data, surface, configuration, or point in time. Customer-configurable controls operate only when Customer enables and correctly configures them (see Section 7).

4. Data Protection Roles, Data Use, and Operator Access

Data-protection roles. For End-User Data and Customer Content processed through a Customer Agent, Customer is the controller (or business) and Karta acts as processor (or service provider) on Customer's documented instructions, as governed by the Data Processing Addendum. For Customer account, authentication, billing, dashboard, support, website, and platform-administration data, Karta acts as a controller, as governed by the Privacy Policy. This allocation is a summary; the Data Processing Addendum and Privacy Policy control.

Data use. Karta does not sell, and does not share for cross-context behavioral advertising, Customer Content or End-User Data; does not use it for targeted advertising; and does not use it to train AI or machine-learning models, in each case except as the Customer expressly opts in or as otherwise set out in the Agreement, Data Processing Addendum, or Privacy Policy. This Section is a summary and does not expand any commitment beyond those instruments, which control.

Operator access. Karta is designed so that Karta personnel do not access End-User Data or Customer Content in the ordinary course of operations. Karta personnel may access such data where reasonably necessary to operate, maintain, secure, or support the platform; to investigate suspected abuse, security incidents, or violations of the Agreement; or to comply with law or legal process. Such access is designed to be limited to authorized personnel on a least-privilege basis, logged, and, where product controls support it, subject to customer-configurable access settings and customer-visible. Karta may also access, use, and disclose data as permitted by the Agreement and the Privacy Policy. This Section does not create any access-restriction obligation beyond those in the Agreement.

5. Subprocessors

Karta uses the following subprocessors to provide the platform: Stripe (payments and subscription billing; United States), Anthropic (LLM inference for non-BYOK requests; United States), Hetzner Online GmbH (control-plane hosting and primary Postgres; United States), Amazon Web Services (data-plane compute, the S3 workspace/merge store, and the RDS session/transcript database; United States), Postmark (transactional email; United States), and Sentry (application error monitoring and performance telemetry; United States). The current Sub-processor List, which controls, identifies each subprocessor's purpose, data categories, location, and contact. Karta may add, remove, or replace subprocessors and will provide notice and any objection mechanism as set out in the Agreement and Data Processing Addendum.

Model access modes affect subprocessor status. For Karta-managed model access, Karta contracts with the Model Provider and meters usage against Customer Credits, and the Model Provider acts as a subprocessor as listed. For BYOK access, Customer supplies its own provider key and contracts with and pays the Model Provider directly; for BYOK traffic the Model Provider is not a Karta subprocessor, and Customer is responsible for that provider relationship, its terms, and its data handling (see Section 7). BYOK provider keys supplied by Customer are encrypted at rest as described in Section 3 and used only to route Customer's own traffic to the designated Model Provider.

6. International Data Transfers

Where the platform transfers personal data across borders, such transfers are addressed by the contractual transfer mechanisms in the Data Processing Addendum. For transfers to subprocessors outside the exporting region (for example, to U.S. subprocessors), the Data Processing Addendum incorporates the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) under Module Two (controller-to-processor) and Module Three (processor-to-subprocessor), as applicable to the relevant role allocation; the UK International Data Transfer Addendum for UK transfers; and the Standard Contractual Clauses with the adaptations under the Swiss FADP for Swiss transfers, as applicable. Karta hosts the platform in the United States; where a Customer or its end users are located in the EEA, the United Kingdom, or Switzerland, the resulting transfers of personal data to Karta and its U.S. subprocessors are addressed by the transfer mechanisms above, with Karta acting as data importer. This Section is a summary; the Data Processing Addendum controls.

7. Shared Responsibility

Security and compliance are a shared responsibility. Karta is responsible only for the platform controls it provides, as described in the Agreement. Customer is solely responsible for:

  • Agent code, prompts, instructions, tools, skills, MCP servers, dependencies, and data sources, and for the security and lawfulness of each;
  • end-user notices, consents, disclosures, and legal bases, and for its relationship with its end users (Karta is not a party to the Customer–end-user relationship);
  • third-party integrations, services, and accounts Customer connects, including BYOK provider keys and the BYOK provider relationship;
  • configuring access controls, roles, spend and usage caps, BYOK keys, webhooks, and embeds, and selecting and enabling available security settings;
  • safeguarding its credentials, API keys, embed keys, and tokens, and promptly rotating or revoking any that may be compromised;
  • reviewing, validating, and approving Outputs and Agent Actions before relying on or acting on them;
  • securing Customer systems, applications, end-user products, and data connected to or served through the platform; and
  • complying with all laws applicable to Customer's product, agents, and users, and not submitting prohibited data (Section 8).

Karta has no obligation to monitor, review, validate, or correct Customer's configuration, content, agents, or integrations. Customer is responsible for the acts and omissions of its Authorized Users and its end users in connection with the platform as if they were Customer's own. Customer's responsibilities under this Section survive any expiration or termination of the Agreement to the extent they relate to acts, omissions, or data arising before or in connection with that expiration or termination.

To the extent a security or compliance issue arises from Customer's configuration, content, agents, integrations, credentials, Authorized Users, end users, or failure to perform the responsibilities above, that issue is outside the scope of the controls Karta provides and is Customer's responsibility, without limiting any allocation of risk, indemnity, or limitation of liability in the Agreement.

8. Prohibited and Regulated Data

The platform is intended for business and developer use by Authorized Users who are 18 or older, and not for personal, family, household, or child-directed use. Unless Karta has expressly agreed in writing to support it for Customer, Customer must not submit to the platform, and must not configure its agents or end-user products to submit, regulated or specially protected data, including protected health information (PHI) subject to HIPAA, payment card or cardholder data subject to PCI DSS, Social Security numbers or other government-issued identifiers, financial-account data subject to GLBA, or other data subject to heightened legal or regulatory requirements. Customer is solely responsible for any such data it submits in breach of this Section and for the consequences, and assumes all related risk. If Karta reasonably believes that prohibited or regulated data is being or has been submitted, Karta may, without liability and in addition to its other rights, suspend, throttle, restrict, or terminate access to the affected agents, surfaces, or account. Customer will defend, indemnify, and hold Karta harmless from any claim, loss, or liability arising from Customer's submission of prohibited or regulated data in breach of this Section, in each case subject to and as further set out in the Agreement. This Section supplements, and does not limit, the data restrictions, suspension rights, and indemnities in the Agreement.

9. Vulnerability Disclosure and Researcher Safe Harbor

Karta welcomes reports of suspected security vulnerabilities. Report them to security@karta.sh, or through Karta's coordinated disclosure policy at /security-policy or /.well-known/security.txt where available. Do not use the abuse or DMCA channels for vulnerability reports unless there is active exploitation affecting third parties. Please include enough detail to reproduce and validate the issue, and give Karta a reasonable opportunity to investigate and remediate before any public disclosure.

For good-faith security research that complies with this policy, Karta considers the research to be authorized access for purposes of Karta's own enforcement rights, and Karta will not bring or support a legal claim against the researcher under the Computer Fraud and Abuse Act or analogous anti-hacking or computer-misuse laws, provided the researcher: (a) acts in good faith to avoid privacy violations, data destruction, service degradation, and interruption to others; (b) accesses, modifies, or exfiltrates only the minimum data necessary to demonstrate the issue, and does not access, use, store, retain, or disclose Customer Data or End-User Data beyond what is necessary; (c) does not perform denial-of-service, social-engineering, physical, or spam testing, and does not test infrastructure operated by Karta's subprocessors or other third parties; (d) reports promptly, keeps the report confidential until Karta authorizes disclosure, and observes any disclosure-embargo period Karta sets at its discretion; (e) is not a competitor of Karta and is not acting on behalf of a competitor; (f) is not located in, ordinarily resident in, or organized under the laws of any country or territory subject to comprehensive U.S. or EU sanctions or embargo, and is not a person with whom Karta is prohibited from dealing under applicable sanctions or export-control laws; and (g) complies with all applicable laws.

Karta cannot and does not purport to authorize conduct on behalf of any Customer, subprocessor, or other third party, to make any conduct lawful, or to waive or limit the rights of any governmental authority. This statement is a limited, revocable assurance of non-enforcement by Karta only, is offered at Karta's sole discretion, does not waive any third party's rights, and is not a bug-bounty program or an offer of compensation. Karta does not currently operate a paid bug-bounty program.

10. Incident Communications

Karta maintains an internal incident-response process. In the event of a confirmed security incident affecting Customer Data or End-User Data for which Karta is responsible, Karta will notify the affected Customer without undue delay, to the extent and in the manner required by the Agreement, the Data Processing Addendum, and applicable law, using the contact information on file. Karta may communicate about incidents by email, in-product notice, a trust or status surface, or other reasonable channels. Any notice will be made in good faith based on information then available, may be preliminary or updated as the investigation proceeds, and is not an admission of fault, liability, or wrongdoing by Karta. Karta has not committed to any public status-page or notification service-level commitment unless an Order Form expressly says otherwise. Karta's notification obligation under this Section runs to Customer only, and not to Customer's end users, Authorized Users, regulators, or any other third party, none of whom is an intended beneficiary of this Section. Customer is responsible for any notifications Customer owes to its own end users, regulators, or other parties, and for maintaining current contact information with Karta.