Kai Trust Centre

Security Policy

Last Updated: 2 August 2025

1. Overview

At Kai, security is fundamental to everything we do. This Security Policy outlines our comprehensive approach to protecting your data, maintaining system integrity, and ensuring the confidentiality, availability, and integrity of our services. We implement enterprise-grade security controls across all aspects of our platform.

2. Security Framework

Our security program is built on industry-leading frameworks and standards:

  • SOC 2 Type II - Annual compliance audits
  • ISO 27001 - Information security management
  • GDPR - European data protection compliance
  • OWASP Top 10 - Web application security standards

3. Data Protection

3.1 Encryption

  • Data in Transit: All data is encrypted using TLS 1.3 with perfect forward secrecy
  • Data at Rest: AES-256 encryption using Google Cloud KMS-managed keys
  • Database Encryption: Transparent database encryption for all stored data
  • Backup Encryption: All backups are encrypted with separate key management

3.2 Data Classification

We classify data into the following categories:

  • Public: Marketing materials, public documentation
  • Internal: Business information, operational data
  • Confidential: Customer data, integration credentials
  • Restricted: Authentication tokens, encryption keys

4. Infrastructure Security

4.1 Cloud Infrastructure

Kai operates on Google Cloud Platform (GCP), leveraging enterprise-grade security features:

  • Multi-region deployment with automatic failover
  • Virtual Private Cloud (VPC) with network segmentation
  • Web Application Firewall (WAF) protection
  • DDoS protection and mitigation
  • Container security with Google Kubernetes Engine

4.2 Access Controls

  • Zero Trust Architecture: All access requires verification
  • Multi-Factor Authentication: Required for all system access
  • Role-Based Access Control: Principle of least privilege
  • Regular Access Reviews: Quarterly access audits and updates

5. Application Security

5.1 Secure Development

  • Security-by-design development practices
  • Regular security code reviews
  • Automated security testing in CI/CD pipelines
  • Dependency vulnerability scanning
  • Static Application Security Testing (SAST)
  • Dynamic Application Security Testing (DAST)

5.2 API Security

  • OAuth 2.0 and JWT token-based authentication
  • Rate limiting and throttling
  • Input validation and sanitization
  • API versioning and deprecation management

6. Third-Party Integration Security

6.1 Provider Connections

When connecting to third-party services (Gmail, Slack, Jira, etc.), we implement:

  • OAuth 2.0 for secure authorization
  • Minimal scope requests - only necessary permissions
  • Encrypted token storage using Google Secret Manager
  • Regular token refresh and validation
  • Audit logging of all API interactions

6.2 Data Processing

  • Data minimization - only process necessary information
  • Purpose limitation - data used only for intended features
  • Retention limits - automatic data purging policies
  • Cross-border transfer protections

7. Monitoring & Incident Response

7.1 Security Monitoring

  • 24/7 security operations center (SOC) monitoring
  • Real-time threat detection and alerting
  • Automated incident response workflows
  • Security information and event management (SIEM)
  • Vulnerability scanning and management

7.2 Incident Response

Our incident response process follows industry best practices:

  1. Detection: Automated monitoring and manual reporting
  2. Classification: Severity assessment and categorization
  3. Containment: Immediate threat isolation
  4. Investigation: Root cause analysis
  5. Remediation: Fix implementation and testing
  6. Recovery: Service restoration
  7. Lessons Learned: Post-incident review and improvements

8. Business Continuity

8.1 Backup & Recovery

  • Automated daily backups with 30-day retention
  • Cross-region backup replication
  • Regular recovery testing and validation
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 1 hour

8.2 Disaster Recovery

  • Multi-region deployment architecture
  • Automated failover capabilities
  • Regular disaster recovery testing
  • Documented recovery procedures

9. Compliance & Auditing

9.1 Regular Audits

  • Annual SOC 2 Type II audits
  • Quarterly internal security assessments
  • Annual penetration testing by third parties
  • Continuous compliance monitoring

9.2 Security Training

  • Mandatory security awareness training for all staff
  • Regular phishing simulation exercises
  • Security incident response training
  • Secure coding practices workshops

10. Data Retention & Deletion

  • Active Data: Retained while your account is active
  • Inactive Accounts: Data deleted after 90 days of inactivity notice
  • Deleted Accounts: Data permanently deleted within 30 days
  • Backup Data: Removed from backups within 90 days
  • Log Data: Security logs retained for 2 years

11. Security Contact Information

11.1 Reporting Security Issues

If you discover a security vulnerability or have security concerns, please report them immediately:

  • Security Team: security@hellok.ai
  • Response Time: We acknowledge all security reports within 24 hours
  • Responsible Disclosure: We follow coordinated vulnerability disclosure

11.2 Security Questionnaires

For enterprise customers requiring additional security documentation:

  • SOC 2 Type II reports available under NDA
  • Security questionnaire responses
  • Penetration testing reports (executive summaries)
  • Compliance certifications

12. Updates to This Policy

We review and update this Security Policy annually or when significant changes occur to our security posture. Updates are communicated through our trust center and customer notifications.

Questions about our security practices?
Contact our security team at security@hellok.ai for detailed information or additional documentation.