Compliance

Compliance, in one place.

Every certification, every legal artifact, every subprocessor, and every export auditors typically ask for.

Frameworks

Where we stand today.

Framework	Status	Evidence
GDPR	Compliant	EU by default. DPA + DPIA published; data-subject endpoints live (export, delete, schedule org deletion).
CCPA	Compliant	Honoured via the same data-subject endpoints. See Privacy Policy.
SOC 2 Type I	Planned 2026	Engagement not yet started; controls largely already in place.
SOC 2 Type II	Planned to follow Type I	—
ISO 27001	Controls in place; certification deferred	Encryption at rest, audit logging, access control, vendor management, and incident runbooks are operational. Formal ISMS documentation and external audit available on NDA.
HIPAA	Not in scope	We don't store PHI.
PCI-DSS	Not in scope	Billing handled by a PCI-DSS Level 1 subprocessor.

Built-in controls

What you get without paperwork.

The security posture you'd expect to spend a quarter implementing — already in the product.

AES-256-GCM at rest

TOTP seeds, MFA credentials, and SMS message bodies are encrypted at the field level before they hit the database. Plaintext never reaches disk.

Per-organisation data encryption keys

Every org gets its own data encryption key (DEK). Retire one DEK and that single org's encrypted data becomes permanently undecryptable — the basis for cryptographic shredding on deletion.

Bring-your-own-key (Enterprise)

Enterprise customers can supply their own managed-KMS key ARN. We wrap that org's DEK under your key; revoking it makes your data unreadable to us within minutes.

KMS envelope for the master key

The master encryption key is itself wrapped by a managed KMS key. The plaintext exists only in process memory after boot. Annual key rotation is enabled.

Disk-level encryption (LUKS2)

Production database and cache volumes sit on a LUKS2-encrypted disk on top of the cloud provider's own storage-layer encryption — two independent layers with customer-held keys.

Hash-chained audit log

Every audit row carries SHA-256(prev_hash ‖ canonical(row)). A read-only verifier walks the chain per org and reports the first divergence. Tampering is detectable.

Server-side TOTP

TOTP seeds are decrypted in-memory on the server when a code is generated. The plaintext seed never reaches the browser, the mobile app, or any client.

Strong authentication

argon2id password hashing + four MFA methods (TOTP, email OTP, SMS OTP, WebAuthn / passkey). Org-wide MFA enforcement available.

Point-in-Time Recovery

Continuous WAL archiving + daily physical base backups means we can restore the database to any second in the last 30 days, not just to nightly snapshots.

Automated retention

Nightly cron deletes expired sessions, mobile tokens, invitations, deactivated users (30-day grace), SMS messages past per-org retention, push tokens past 180 days, and orgs whose scheduled deletion has passed.

Audit-log archive

Before audit rows leave the operational database, they're archived to long-term cold storage (encrypted with the regional KMS key) for the org's full retention window.

Documented incident response

Nine purpose-built runbooks for the scenarios that matter: master-key compromise, per-org DEK compromise, SQL injection, account takeover, restore-from-backup, server loss, subprocessor outage, and more.

Legal artifacts

One click each.

Master Subscription Agreement (Terms)→Data Processing Agreement→Privacy Policy→Subprocessors (live)→Acceptable Use Policy→Data Protection Impact Assessment (NDA — request)→Security architecture overview (NDA — request)→ISO 27001 Statement of Applicability draft (NDA — request)→Pen test summary (NDA — request)→Incident response runbooks (NDA — request)→

Data handling

Where it lives, how long, what we do when you leave.

Data residency

EU by default. Data lives in Helsinki (operational) and Ireland (backups + archive). US deployment available on request for Enterprise — single region per organisation, no cross-region replication.

Backups

Daily logical (pg_dump) and physical (pg_basebackup) snapshots + continuous WAL archiving for Point-in-Time Recovery to any second in the last 30 days. All encrypted with managed KMS.

Right to export (GDPR Art. 15 / 20)

Every user can fetch a structured JSON dump of their personal data via GET /api/v1/me/export at any time. Includes account, audit log entries, TOTP metadata, MFA method metadata, SMS messages, API key metadata.

Right to deletion (GDPR Art. 17)

Org Owner can schedule full deletion via DELETE /api/v1/org with a 30-day grace period (and a typed-name confirmation). Individual users can self-delete via DELETE /api/v1/me. Hard-delete cascade runs nightly past the grace.

Cryptographic shredding on org delete

When an org is hard-deleted, we retire its data encryption key. From that moment, every TOTP seed, MFA credential, and SMS body belonging to that org — including the copies in encrypted backups — is permanently undecryptable. Plaintext metadata is purged from the operational database and ages out of backups per the retention window.

Subprocessor changes (GDPR Art. 28)

≥30-day advance notice before any subprocessor is added, changed, or removed. Customers see an in-app banner and the public subprocessors page is updated with effective dates ahead of time.

Subprocessors

Where customer data is stored or processed.

Only third parties that touch personal data are listed. DNS, source hosting, and operational metadata vendors are not in scope.

Subprocessor	Purpose	Region
Hetzner Cloud	Application, database, and cache hosting	Helsinki, FI (EU)
AWS	Encrypted backups + archive + KMS key material + transactional email	eu-west-1 (Ireland, EU)
Telnyx	Inbound SMS processing (only for SMS-enabled orgs, international numbers)	US / EU
Bandwidth	Inbound SMS processing (only for SMS-enabled orgs, US/CA numbers)	US
Inkress	Billing & subscription	US

See the full live list at /legal/subprocessors.

Doing diligence on Kaito? We make it easy.

Email compliance@kaito.io Read the security overview →