Security

Last updated: May 5, 2026

Kairos takes security seriously. This page describes our security practices, ongoing certification efforts, and commitments to data protection.

For specific security inquiries, including questionnaires, audit reports, or incident reports, contact security@kairoswins.com.

1. Data encryption

All data in transit between your browser, our APIs, and our service providers is encrypted using TLS 1.3 or higher. We do not accept connections over older or weaker encryption protocols.

All data at rest in our databases and storage is encrypted using AES-256. This includes customer data, authentication credentials, and audio/transcript data when retention is enabled.

2. Authentication and access control

User authentication is managed through Clerk, an enterprise-grade authentication provider. We support standard email/password authentication for all tiers, with SAML/SSO support available on the Enterprise tier for organizational identity provider integration.

Access to customer data within Kairos systems is limited to authorized personnel on a least-privilege basis. All internal access is logged and audited.

3. Tenant isolation

Customer data is isolated at the database level using row-level security policies. No query path can return data across tenant boundaries by design. Each tenant's data, including call audio, transcripts, deal context, and rep profiles, is stored in tenant-scoped namespaces.

This architecture is enforced at the database layer rather than application layer, providing defense in depth: even if an application bug were introduced, the database itself rejects cross-tenant queries.

4. Compliance and certifications

4.1 SOC 2

SOC 2 Type 1 audit is in active progress. Expected completion: third quarter of 2026. SOC 2 Type 2 will follow approximately six months after Type 1 completion. Audit reports will be available to enterprise customers under NDA upon completion.

4.2 GDPR

We are committed to compliance with the General Data Protection Regulation for users and customers in the European Economic Area. We support data subject rights including access, correction, deletion, and portability. Data Processing Agreements are available on request to enterprise customers.

4.3 HIPAA

For healthcare-adjacent customers requiring HIPAA compliance, Business Associate Agreements (BAAs) are available on the Enterprise tier. Please contact security@kairoswins.com to request a BAA.

5. Penetration testing

External penetration testing by a qualified third-party security firm is scheduled prior to onboarding our first enterprise customer. Test results and remediation status will be available to enterprise customers under NDA.

6. Recording consent infrastructure

Kairos products that join sales calls implement a jurisdiction-aware consent engine. Configuration options include:

  • Bot disclosure mode: When the Kairos meeting bot joins a call, it announces its presence and the recording/analysis activity.
  • One-party consent mode: Permitted in jurisdictions where consent of a single party (the user) is sufficient.
  • Two-party consent mode: Required in jurisdictions where consent of all participants is mandatory. The system blocks recording until consent is confirmed.

Customers configure consent settings per tenant. The system enforces the most restrictive applicable law based on participant location data when known.

7. Incident response

We maintain an incident response plan covering security events, data breaches, and service disruptions. In the event of a security incident affecting your data, we will:

  • Notify affected customers without undue delay, in accordance with applicable law (typically within 72 hours of confirmation for data breaches)
  • Provide details of the incident, affected data, and steps taken to remediate
  • Cooperate with customer security teams in investigation and response

8. Vulnerability disclosure

We welcome reports of security vulnerabilities from researchers and the public. To report a vulnerability:

  • Email security@kairoswins.com with details of the issue
  • Provide steps to reproduce, expected impact, and your contact information
  • Allow us reasonable time to investigate and remediate before public disclosure

We do not currently operate a formal bug bounty program but recognize and credit responsible disclosure where appropriate.

9. Subprocessors

We use third-party service providers (subprocessors) to deliver our products. The current list of subprocessors is published in our Privacy Policy. We require subprocessors to maintain security and confidentiality standards substantially equivalent to our own. Material changes to our subprocessor list are communicated to customers in advance.

10. Contact

For security questions, audit requests, or incident reports, contact:

security@kairoswins.com