Real entries with the commit / file references behind each line. The product is in private beta — read the roadmap below for what's next.
Postgres now ships every WAL segment to S3 (SSE-KMS) as it fills, with a 5-minute archive_timeout safety net. A new nightly pg_basebackup sidecar takes a physical base backup, also direct-to-S3. The pair gives us PITR to any second in the last 30 days, not just to nightly snapshots.
Restore path documented in our incident runbooks. Quarterly restore drill is on the calendar.
When an organisation is hard-deleted, we retire its per-org data encryption key (DEK) and null out the wrapped blob. From that moment, every TOTP seed, MFA credential, and SMS body belonging to that org becomes permanently undecryptable — including the copies that live in encrypted backups.
Wired into the nightly cleanup cron. Plaintext metadata (emails, names) is purged from the operational DB and ages out of backups per the retention window.
Every audit row now carries SHA-256(prev_hash ‖ canonical_json(row)). A read-only verifier (scripts/audit-verify.ts) walks the chain per org and reports the first divergence. Tampering with any historical row breaks the chain at that point and is detectable.
IP and User-Agent are also captured on every audit write for breach-evidence purposes (GDPR Art. 32).
Every organisation gets its own AES-256-GCM data encryption key, wrapped by a managed KMS key. Enterprise customers can supply their own KMS key ARN; we wrap that org's DEK under your key, so revoking it makes the org's data unreadable to us within minutes.
Default (non-Enterprise) orgs use the platform's regional KMS key. Same crypto, same shred-on-revoke story — you just don't manage the wrapping key.
MASTER_ENCRYPTION_KEY is now wrapped by AWS KMS (alias/kaito-platform-eu / -us). The plaintext key only exists in process memory after boot — it's never on disk in plaintext.
Annual rotation is enabled on both regional KMS keys. KMS retains old material for decrypting historical ciphertext, so rotation is transparent.
GET /api/v1/me/export returns a JSON dump of the authenticated user's personal data — account, audit log entries for them, TOTP metadata, MFA method metadata, decrypted SMS messages, API key metadata, consent ledger.
DELETE /api/v1/me soft-deletes the user (30-day grace; cleanup cron hard-deletes after). DELETE /api/v1/org schedules a full org deletion (Owner only, typed-name confirmation, 30-day grace, cryptographic shred on hard-delete).
Inbound SMS bodies are now encrypted at the field level the moment they hit our webhook handler. Plaintext never lives on disk.
A one-shot backfill script wraps any pre-encryption rows; new rows always populate body_iv / body_auth_tag / body_key_version.
New cleanup container sleeps until 03:30 UTC each night, then runs scripts/gdpr-cleanup.ts: archives audit logs to S3 before purging the operational DB, deletes expired sessions / MFA sessions / mobile tokens, removes expired invitations, hard-deletes soft-deleted users past their 30-day grace, purges SMS messages past per-org retention, removes stale push tokens, hard-deletes orgs whose scheduled deletion has passed.
Per-org retention is configurable: orgs.audit_retention_days (default 365, Enterprise 2557 = 7y) and orgs.sms_retention_days (default 90).
A reusable, append-only record of every consent grant and revocation a user gives — DPA, ToS, Privacy Policy, marketing email, per-subprocessor change. Captures IP, User-Agent, the version of the text shown, and the full payload snapshot.
Designed as a portable module under app/lib/consent — every helper takes a db handle, so it can later be lifted into its own npm package.
New /admin/* routes (gated by users.is_superadmin): cross-org accounts browser, announcements CRUD (banner / modal / email), subprocessor change records, read-only cross-org audit viewer.
Recording a subprocessor change auto-creates a banner announcement and warns if you give less than 30 days notice (GDPR Art. 28 minimum).
Operational data now lives in Helsinki on a dedicated Hetzner Cloud volume. The volume is LUKS2-encrypted (aes-xts-plain64, argon2id keyfile) on top of Hetzner's storage-layer AES-XTS — two independent encryption layers with a customer-held key.
US deployment available on request for Enterprise customers. Single region per organisation; no cross-region replication.
End-to-end mobile-responsive pass across the marketing site, dashboard, and auth flows. Notable: TOTP code now scales with its ring (CSS container queries); pricing SMS table renders as cards under sm; nav dropdown clamped to viewport; auth panel safe-area aware.
Plus belt-and-braces fixes for iOS auto-zoom on form inputs and overscroll bounce.
In likely shipping order. No firm dates — we'll write a real changelog entry when each lands, and you can subscribe to be notified.
Identity-provider-driven user lifecycle for Business and Enterprise. SCIM 2.0 + SAML 2.0.
Encrypted, biometrically-locked seed cache scoped to the tokens you're allowed to see; revocation enforced at next online check.
Send SMS from your provisioned numbers, with US 10DLC compliance handled. Today the SMS surface is inbound-only.
Slack slash command (/kaito code <name>) for code retrieval, PagerDuty incident-elevation, native audit-log streaming to Datadog / Splunk / Sumo / Wazuh.
Pick US residency at signup instead of contacting us. Region-aware routing, billing, admin. Today: EU default, US on request for Enterprise.
Thin idiomatic wrappers around the REST API. Today the API is small enough to call directly from any HTTP client.
Engagement with an accredited auditor. Controls are largely in place — the work is the formal ISMS documentation and the audit itself.