Security

How we keep your documents and data safe.

Last updated: May 28, 2025

Encryption

  • TLS 1.2+ for all data in transit
  • AES-256 encryption for data at rest
  • Passwords hashed with bcrypt (cost 12)
  • JWT tokens signed with RS256

Infrastructure

  • Hosted on SOC 2 Type II certified cloud
  • Isolated per-tenant database namespaces
  • Automated daily backups with 30-day retention
  • 99.9% uptime SLA

Access Controls

  • Principle of least privilege for all systems
  • Multi-factor authentication for internal access
  • Audit logs for all administrative actions
  • All queries scoped to authenticated user

Application Security

  • Parameterized SQL — no string interpolation
  • CSRF protection on all state-changing requests
  • Rate limiting on auth and API endpoints
  • Dependency vulnerability scanning via npm audit

Your Data Isolation

Every database query in Klaio is scoped to your userId or organizationId. It is architecturally impossible for one user to access another user's documents, chats, or folders — even if an API endpoint is called with a manipulated ID.

Documents uploaded to Klaio are stored with randomized filenames and are not accessible via public URLs. All document retrieval requires a valid authenticated session.

AI Processing

When you ask a question, relevant chunks of your documents are sent to our AI provider to generate a response. We use providers that:

  • Process data only to fulfill the immediate request
  • Do not retain your content after processing
  • Do not train models on customer data
  • Are bound by data processing agreements (DPAs)

No document content is ever used to improve our AI models or shared with any third party for commercial purposes.

Notion Integration

When you connect Notion, we store only the OAuth token required to fetch pages you explicitly import. We do not continuously access your Notion workspace — syncing only occurs when you trigger it manually or via scheduled sync for connected pages.

You can revoke the Notion connection at any time from the Settings page, which immediately deletes the stored token.

Vulnerability Disclosure

We take security reports seriously. If you discover a vulnerability in Klaio, please report it responsibly:

  • Email: security@klaio.app
  • Include a description of the vulnerability and steps to reproduce
  • Do not access, modify, or delete data that is not yours
  • Give us reasonable time (90 days) to address the issue before public disclosure

We will acknowledge your report within 2 business days and keep you updated on our progress. We do not pursue legal action against researchers who follow responsible disclosure guidelines.

Incident Response

In the event of a security incident affecting your data, we will:

  • Notify affected users by email within 72 hours of becoming aware
  • Describe the nature of the incident and data affected
  • Provide steps you can take to protect yourself
  • Report to relevant authorities as required by law (e.g., GDPR Article 33)

Questions

For security-related questions, contact security@klaio.app. For general privacy questions, see our Privacy Policy.