Global Trust Infrastructure · 195 countries · SOC 2 readiness roadmap
KeyBSTrust Intelligence
Verify a Supplier
Trust & compliance

The controls behind every signed report.

KeyBS is the evidentiary record for regulated buyers. We publish what we run, where data lives, who touches it, and which regulations our reports help you satisfy.

Controls

Data residency
EU (Frankfurt) primary; US (Virginia) on contract. No data transit through Tier 5 jurisdictions.
Encryption
TLS 1.3 in transit; AES-256 at rest; per-tenant keys via KMS.
Access model
Analyst and agent access is RBAC-scoped per assignment. Admin actions are append-only logged.
Retention
Supplier documents auto-purge 90 days post-decision. Signed reports retained 7 years unless contracted otherwise.
Backups
Point-in-time recovery to 7 days; nightly snapshots retained 35 days.
Incident response
24h initial customer notification on any confirmed data incident; root-cause within 14 days.

Regulations our reports help you document

  • EU CSDDD
    Per-supplier dossier with named reviewer satisfies the 'know your value chain' evidentiary standard.
  • UFLPA (US)
    Tier 4–5 reports document origin and operations for goods from at-risk regions.
  • Modern Slavery Act (UK / AU)
    Annual statement appendix listing verified suppliers and confidence scores.
  • AMLD6 / FinCEN CDD
    KYB record meeting beneficial-ownership and sanctions documentation requirements.
  • ISO 37001
    Anti-bribery due-diligence file per counterparty.

KeyBS provides evidentiary records; we are not a law firm. Customers remain responsible for their own compliance determinations.

Sub-processors

ProviderPurpose
AWS (eu-central-1, us-east-1)Primary infrastructure
CloudflareEdge, WAF, DDoS protection
StripePayment processing
ResendTransactional email
OpenCorporatesCross-jurisdictional registry reference data
Refinitiv World-CheckSanctions, PEP, and adverse-media screening

Chain of custody for analyst sign-off

  1. Order received; tier locked to the country's published depth.
  2. Automated registry pull and sanctions screen; raw evidence stored with timestamp + source URL.
  3. Analyst assignment by jurisdiction expertise; conflicts checked against customer roster.
  4. Where required: local agent dispatched; visit timestamped with geotagged photos.
  5. Lead analyst peer-reviews decision before issuance; any downgrade flagged in the report.
  6. Report signed with KeyBS private key; verifier publishes the matching public key.
Need a DPA, security questionnaire, or sub-processor notification?
Request documents →