KAIRO

Trust Center

How we protect what you trust to us.

Security posture, compliance status, subprocessors, and the trust documentation your InfoSec team needs to sign off.

Security posture

Encryption in transit

All public traffic to the platform travels over TLS 1.2 or higher with HSTS enforced. Internal service-to-service communication is encrypted.

Encryption at rest

Customer data is encrypted at rest in the production database. Backups are encrypted using managed keys.

Access control

Role-based access. Server-side admin gates on every protected route. JWT-backed sessions with short expirations.

Row-level security

Postgres-style row-level security policies on every customer-owned table. The client never holds the service role key.

Rate limiting

Per-IP token-bucket rate limiting on every public API route. Protects against abuse and runaway costs.

Input sanitization

SSRF protection, private-network blocking, and AWS metadata endpoint protection on every domain input.

Audit logging

Every tool run, gate decision, and admin action is logged with timestamp, user, and result. Exportable for compliance review.

Human-in-loop gates

Customer-facing, financial, and irreversible actions are gated by the agent accountability system. Encoded in code, not in policy.

Compliance status

Subprocessors

The third-party services KAIRO uses to deliver the platform. Customer notice will be given at least thirty days before any new subprocessor is engaged for production use.

CategoryPurposeLocation
Cloud hosting and edgeApplication hosting, edge compute, CDN.United States, global edge.
Database and authenticationProduction database, magic-link auth, file storage.United States.
Payment processingSubscription billing, payment links, customer portal.United States.
Premium reasoning model providerStrategic agent tier (CEO, managers, leads).United States.
General worker model providerWorker agent tier and tool execution.United States.
Fast retrieval model providerReal-time signal grounding and search.United States.
Local inference workstationOptional private inference for selected tools.United States, on-premises.
Email deliveryTransactional and notification email.United States.
Email verificationContact verification for public lookups.United States.
Workflow automation runtimeScheduled workflows and webhook orchestration.United States, European Union.

Documentation

Security architecture

Six security layers with the specs.

Read

Data Processing Addendum

GDPR Article 28 commitments and Standard Contractual Clauses.

Read

Privacy Policy

What we collect, why, and your rights.

Read

Terms of Service

Agreement governing platform usage.

Read

Sources and methodology

Where the intelligence comes from.

Read

Service Level Agreement

Uptime, support response, and service credits.

Read

Need more

Custom Security and Compliance Review.

Need a written security posture for your InfoSec review, a data flow diagram, or a gate-category mapping to your internal policy? See the Service package.

Security and Compliance Review