Klave
Klave is a zero-trust PaaS for confidential applications. It provides a reliable and secure infrastructure on which businesses can build and run their applications without fear of interference from third-parties. All applications are deployed within Trusted Execution Environments (TEEs) safeguarding data and business logic integrity and confidentiality at all times.
Features
- Security: Code and data encrypted at all times
- Integrity: Tamper-proof code and data at all times
- Honesty: Zero-trust through attestation and verifiability
- Confidential computing and TEEs made easily accessible
- No-operations platform with scalability and redundancy built-in
- Developer tooling for quick app scaffolding
- Integration into developer workflows
- Multi languages support for App development
- Access to a global application marketplace
Benefits
- Enable sensitive data collaboration use cases
- Unlock access to sensitive data silos
- Enable the usage and manipulation of sensitive data on-the-cloud
- Provide data and IP governance through attestation and verifiability
- Enable data lineage and traceability
Pricing
£5,000 a licence
- Education pricing available
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
9 8 7 5 6 9 6 5 3 6 0 5 9 6 7
Contact
SECRETARIUM LTD
Bertrand Foing
Telephone: 07595300325
Email: bertrand@secretarium.org
Service scope
- Service constraints
-
There are currently no service constraints.
Klave is designed to be a high-availability service not needing maintenance windows. If a maintenance windows with a service cut-off is necessary, Secretarium Ltd adheres to the following:
For Planned Maintenance Secretarium Ltd provides customers with at least twenty four (24) hours’ advance notice of any such planned maintenance, the details of which will be discussed and agreed in advance customers.
For Emergency Maintenance Secretarium Ltd provides customers with at least six (6) hours’ advance notice of any such planned maintenance, the details of which will be discussed and agreed in advance with customers. - System requirements
-
- On-prems: Must run on Intel SGX compatible Hardware
- On-prems: Must be deployed on compatible Linux distro
- Cloud/hybrid: Deployed on bare-metal machine with Intel SGX compatible processors
- Access to the service: Device with internet access running
- Access to the service: Use of a modern internet browser
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- 48-hr response time
- User can manage status and priority of support tickets
- No
- Phone support
- No
- Web chat support
- Yes, at an extra cost
- Web chat support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support accessibility standard
- WCAG 2.1 A
- Web chat accessibility testing
- None.
- Onsite support
- No
- Support levels
-
1) Support Level - Mail + Discord.
2) Support Cost - Basic support (Mail + Discord) is free of charge while Advanced Support cost (Call + Support++) will vary depending on customer needs (charged on a Time & Material Basis)
3) Both Technical Account Manager and Cloud Support Engineer are available to support all customers when needed - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- We offer multiple resources to facilitate users in starting to use our service seamlessly. Our documentation includes a Quickstart onboarding section and detailed technical descriptions to guide users through the initial setup. Additionally, we provide onboarding and feature videos to supplement the documentation and offer visual aids. Users can schedule free demo meetings with us for personalised assistance in onboarding. Access to our documentation, videos, and other onboarding materials is made easy through our website and Discord channel. Furthermore, we provide direct support on Discord during UK working hours to address any queries or issues users may encounter during onboarding. With these comprehensive resources and personalised support options, we ensure that users can confidently and efficiently begin using our service.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- Other
- Other documentation formats
- Videos
- End-of-contract data extraction
- Ending a contract requires extracting valuable data. This process involves planning what needs to be retrieved (reports, customer data) and how (considering data formats and security). Then, data is extracted from various sources (databases, drives) while maintaining its original structure. Quality checks ensure completeness and accuracy. Finally, secure transfer with encryption protects the data. Documentation records the process for future reference. Once confirmed by the other party, any remaining data is disposed of securely. The contract is finalized by confirming data transfer and completing any outstanding obligations. By prioritizing critical data, exploring automation, and potentially anonymizing sensitive information, this process ensures a smooth and secure end-of-contract data extraction
- End-of-contract process
- Prior to contract closure, any end-of-contract requirements and obligations are identified and examined, ensuring all contract deliverables are completed, submitted and approved by the relevant stakeholders. Any outstanding work or issues are resolved and a final meeting with the relevant stakeholders is conducted to discuss the completion of the contract. Approvals and sign-offs are obtained from the client/other stakeholders on all deliverables, project reports and other contractual obligations. Final invoices are issued based on contract terms, confirming that all financial obligations are met, including reimbursements, taxes or other costs. Throughout the contract, and more importantly before the end of the agreement, all confidential information, intellectual property, and proprietary data are handled according to the contract's confidentiality clauses. Any company property/assets returned and confidential information returned/destroyed as required by the contract. All documentation, including project reports, financial records and contract closure forms are finalised and signed, indicating the end of the contract.
Using the service
- Web browser interface
- Yes
- Using the web interface
- Users can orchestrate and monitor the deployments of their software applications. They can additionally manage access permissions, organisational settings and get billing reports. Changes to their confidential applications are handled via their own developer workflows using our helper tooling.
- Web interface accessibility standard
- None or don’t know
- How the web interface is accessible
- While we have not conducted independent review of our web application accessibility scores, we use a combination of tools during development (via linters) and testing (via Microsoft Accessibility Insight) to help us maintain immediate accessibility requirements. Our service is built to leverage modern web browser capabilities, exclusively using Web Standards. Users have the ability to use browser extensions, for example to read aloud or increase contrast. Currently, users with severe visual impairment may not be able to perform all actions. Also, some features such as FIDO authentication rely on external components which may themselves suffer from accessibility issues.
- Web interface accessibility testing
- None
- API
- Yes
- What users can and can't do using the API
- We offer two API. A Web API, through which all the functions supported by our web interface are also offered, facilitating service automation, and an SDK API for use by applications deployed within our service, allowing access to runtime service functions.
- API automation tools
- Other
- API documentation
- Yes
- API documentation formats
- HTML
- Command line interface
- Yes
- Command line interface compatibility
-
- Linux or Unix
- Windows
- MacOS
- Using the command line interface
- Our CLI utilizes our Web API to perform all the actions otherwise available via the Web interface
Scaling
- Scaling available
- Yes
- Scaling type
- Manual
- Independence of resources
- Applications deployed on Klave are associated with their own compute resources (threads), database (disk space allocation), and are capped by users. We load-balance users across different nodes of a cluster to ensure resource availability. We also monitor resource utilisation and increase the number of nodes in a cluster if needed. Rate limitations and other techniques manage throughput (ingress and egress) independence to provide a good experience to all users.
- Usage notifications
- No
Analytics
- Infrastructure or application metrics
- Yes
- Metrics types
-
- Number of active instances
- Other
- Other metrics
- Number of available environments
- Reporting types
- Real-time dashboards
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Staff screening not performed
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
-
- United Kingdom
- Other locations
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
-
- Physical access control, complying with another standard
- Encryption of all physical media
- Scale, obfuscating techniques, or data storage sharding
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Backup and recovery
- Backup and recovery
- Yes
- What’s backed up
-
- Automated backup of databases
- Automated backup of ledgers
- Automated backup of applications and binaries
- Automated backup of configurations (network, hardware, etc.)
- Automated backup of logs
- Backup controls
- Applications and ledgers of users' data are distributed and automatically backed up across a cluster of machines deployed in different data centres. Users can ask for a rollback of the ledgers to a previous backed-up version.
- Datacentre setup
- Multiple datacentres with disaster recovery
- Scheduling backups
- Users contact the support team to schedule backups
- Backup recovery
- Users contact the support team
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
- At present, our service operates on a best-effort basis during UK working hours (BST) from 9 am to 5 pm. However, we recognize the diverse needs of our enterprise clients and are committed to providing tailored Service Level Agreements (SLAs) to meet their specific requirements. These customized SLAs will ensure that our enterprise clients receive the level of support and responsiveness they expect, allowing us to deliver a high-quality service experience that aligns closely with their business objectives. By offering personalized SLAs, we aim to strengthen our partnerships with enterprise clients and enhance their overall satisfaction with our services.
- Approach to resilience
- Our service is designed for resilience through a multi-tiered strategy. Spanning three data centers across two regions, we ensure geographic redundancy to mitigate localized disruptions. Within each center, our cluster-based architecture disperses applications and data, preventing single points of failure and optimizing performance. Automated failover and proactive monitoring further bolster our resilience, swiftly redirecting traffic and resources in case of anomalies. Through redundancy, diversity, and automation, we prioritize seamless continuity, providing a dependable platform for our users.
- Outage reporting
- Our service promptly reports outages through multiple channels to ensure effective user communication. We utilise email notifications as a primary method for outage reporting, providing detailed information and updates to our users. Additionally, we leverage Discord, where we manage our users' community, to promptly notify them of any disruptions. This ensures that our users receive timely updates through channels they frequently engage with, enhancing transparency and maintaining open lines of communication during outages. By utilising both email and Discord, we aim to minimise downtime and swiftly address any issues to mitigate impacts on our users' operations.
Identity and authentication
- User authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Access restrictions in management interfaces and support channels
- Limited number of system administrators have access to management interfaces. They all use 2FA to log-in. Support channel (Discord) requires 2FA and phone numbers.
- Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Devices users manage the service through
- Dedicated device over multiple services or networks
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- Sancert
- ISO/IEC 27001 accreditation date
- 07/08/2024
- What the ISO/IEC 27001 doesn’t cover
- NA
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- Other
- Other security governance standards
-
Cyber Essentials Certified - 2024
In the process of implementing ISMS to obtain ISO27001 Certification - Information security policies and processes
- Secretarium has implemented a sustainable set of controls/safeguards, in the form of policies, practices, procedures, organisational structure and software. This involves all key stakeholders, ensuring that the Confidentiality, Integrity and Availability requirements of our information assets are mased based on their value, risk exposure and regulatory and compliance requirements. Employees and third parties are made aware of their roles and responsibilities to ensure the protection of information. Secretarium's management is committed to the implementation, operation, monitoring, review, maintenance and continual improvement of these Information Security controls. The following objectives have been set and are used as a foundation of our Information Security Program: 1) Understanding critical information assets and protecting them in terms of CIA triad; 2) Minimising business disruption and operational impact; 3) Compliance with customer expectations and contractual obligations; 4) Compliance with relevant legal/regulatory requirements; 5) Reduction and effective management of Security Incidents; 6) Effective Information Security Risk Management; 7) Info Sec training Program and Awareness in place and 8) Assurance that all systems are protected from Malware, Viruses and Cyber-attacks
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
-
Change requests, including upgrades, are logged centrally with approval documentation.
Business units maintain an audit trail of change requests, authorizations, and outcomes.
Changes to production require multi-person approval.
Risk assessments align with organizational standards, considering security impacts.
Assessments include impacts on resources, costs, security, privacy, and compliance.
Changes undergo controlled testing to minimize disruptions and assess impacts.
Formal approval criteria include authorization, impact assessment, and testing.
Users are notified and consulted on significant changes before acceptance.
Procedures address unexpected outcomes for recovery and continuity.
Post-implementation monitoring tracks deviations and escalates issues for resolution. - Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
- We conduct annual penetration testing, automated monthly infrastructure scans, and weekly codebase scans, and promptly deploy patches after significant vulnerability detection. We gather threat intelligence to assess emerging risks and align our remediation efforts. Critical vulnerabilities are remediated within 30 days, followed by confirmation scans. We maintain a vulnerability dashboard for monitoring and tracking overall trends. Information on potential threats comes from various sources, including threat intelligence feeds, advisories, vendor announcements, and industry reports, ensuring our readiness to address evolving security challenges.
- Protective monitoring type
- Undisclosed
- Protective monitoring approach
- Undisclosed.
- Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
- Our incident management process adheres to formalized procedures outlined in our policy, guiding us from incident detection to resolution. Incidents are classified based on criticality and promptly reported to our IT helpdesk. We have predefined processes for common events and ensure timely reporting to authorities. All incidents are logged, documented, and reported to relevant stakeholders, including senior management and regulators. Forensic evidence is collected and retained securely for six months. After resolution, a formal report is prepared by the head of Cyber Security, outlining actions taken and preventive measures. Lessons learned are documented and shared to prevent future incidents.
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Separation between users
- Virtualisation technology used to keep applications and users sharing the same infrastructure apart
- No
Energy efficiency
- Energy-efficient datacentres
- Yes
- Description of energy efficient datacentres
-
We currently use three data centres. Using OVH in Europe and partnering with companies like Tinext and Green in Switzerland showcases a strong commitment to sustainability and environmental responsibility. By leveraging renewable and low carbon energy sources, these companies not only reduce their carbon footprint but also align with the EU code of conduct regarding energy efficiency and environmental standards.
The EU code of conduct sets guidelines and best practices for data centres and cloud service providers to ensure energy-efficient operations and reduce environmental impact. Compliance with these standards demonstrates a proactive approach to meeting regulatory requirements while also contributing to broader sustainability goals.
OVH’s operations in Europe, alongside partnerships with environmentally conscious companies like Tinext and Green in Switzerland, exemplify a forward-thinking approach to business that prioritizes not just performance and reliability but also environmental stewardship. This alignment with EU regulations underscores a commitment to sustainable practices and responsible resource management in the digital infrastructure sector.
By highlighting these efforts, businesses can showcase their dedication to environmental sustainability while also meeting industry standards and regulations, fostering trust and positive engagement with stakeholders and customers alike.
Social Value
- Social Value
-
Social Value
- Fighting climate change
- Tackling economic inequality
- Equal opportunity
Fighting climate change
Environmental and climate considerations are integral to our solution's design. Klave plays a pivotal role in curtailing the ecological footprint of data processing by facilitating efficient and secure data operations. By harnessing the power of secure hardware, Klave achieves data processing speeds that are exponentially superior to conventional cryptography, all while minimising the demand for computing resources. This efficiency translates to reduced energy consumption and a diminished environmental impact. A cornerstone of Klave's eco-consciousness lies in its utilisation of low-energy servers. These servers boast an energy consumption rate of a mere 30 watts during periods of rest and a maximum of 215 watts when subjected to heavy use. Moreover, our commitment to sustainability extends to the very heart of our operations, as Klave operates within data centres that derive their energy from hydroelectric sources. By converging technological innovation with environmental responsibility, Klave underscores its dedication to advancing secure data practices while leaving a lighter carbon footprint on the planet.Tackling economic inequality
Klave's introduction to the market has the potential to generate substantial economic impact across various dimensions.
1. Entrepreneurship and Startups: Klave 's emergence will inspire entrepreneurs and startups to explore solutions in the data security and privacy space leading to the creation of new ventures, fostering a culture of entrepreneurship and innovation within the industry.
2. Increased Cloud Adoption: Klave's robust security features will drive increased adoption of cloud computing solutions, especially among businesses that were previously hesitant due to security concerns. This expanded adoption will lead to revenue growth for cloud infrastructure and related industries.
3. Business Efficiency and Productivity: Organisations adopting Klave 's secure data protection and smart contract capabilities can experience improved efficiency and productivity. This, in turn, will contribute to overall economic growth as businesses optimise their operations and reduce operational costs.
4. Value Chain Enhancement: Klave 's integration into various industries can lead to the development of complementary products and services. This value chain enhancement will create new revenue streams and business opportunities for stakeholders within these industries.Equal opportunity
At Secretarium, our expansion and developmental endeavours call for a diverse array of skilled professionals spanning multiple domains. From software engineer’s adept in crafting intricate code to secure hardware engineers, smart contract engineers, and cryptographers, our team showcases a spectrum of talents. Complemented by IT security engineers, UX/UI engineers who craft intuitive user experiences, project managers who navigate complexities, and customer support personnel ensuring client satisfaction, our organisation stands as a nucleus of expertise. From 2024 to 2028, we anticipate generating a minimum of 222 positions, ushering in a new era of employment.
The Secretarium effect extends beyond our immediate walls, generating indirect job creation across industries. As we expand our operational reach, our collaborations with partners, suppliers, and service providers create a ripple effect of opportunity. This symbiotic rapport fuels roles within sectors such as cloud infrastructure, legal and compliance services, marketing agencies, and logistics. The dynamic surge in demand that our initiatives stimulate acts as a catalyst for employment growth within these affiliated organisations.
Innovation and Entrepreneurship: Beyond the numbers, our market presence ignites the flames of innovation and entrepreneurship. As Secretarium gains momentum and garners investment, it inspires the birth of startups and ventures focusing on related privacy-preserving technologies, services, and applications. This virtuous cycle of innovation further amplifies the potential for job creation, generating a dynamic environment primed for economic progress.
In cultivating both direct and indirect job creation, Secretarium propels value for our clients while simultaneously contributing to holistic growth and prosperity within the communities and economies we engage with.
Pricing
- Price
- £5,000 a licence
- Discount for educational organisations
- Yes
- Free trial available
- Yes
- Description of free trial
-
All features and functionalities as per our PAYG model are included except that deployment is done in a development cluster. Features are:
Unlimited Applications
Unlimited Deployment
Automatic CI/CD (Git Integration)
Unlimited Environment
Mail Support