Skip to content
Kaito
For Security & IT

Stop the screenshot. Pass the audit.

Kaito gives security teams the controls to manage shared 2FA at scale — without negotiating with engineering every time you need an audit log.

Book a security reviewSecurity overview →
What you can stop doing

Things off your plate from week one.

  • Asking engineers to "send the AWS code in DM" (and then deleting the DM).
  • Hunting in 1Password notes for who has access to what.
  • Writing Notion docs that document a 2FA process nobody follows.
  • Filing tickets to track which contractors got removed from which logins.
What auditors will ask

And the answer.

Are 2FA secrets encrypted at rest?

Yes — AES-256-GCM with a master key held outside the database (env / KMS). Seeds are never written in plaintext. Browsers and mobile apps never receive the seed; codes are computed server-side.

How is access controlled?

Four-role RBAC plus group-based, per-token permissions. A user must be (1) authenticated with MFA, (2) a member of a group, and (3) the group must hold a permission on the specific token. Both paths can carry expiry dates.

How is access revocation handled?

Removing a user invalidates their session, all their API keys, and removes group memberships in a single transaction. Kaito then surfaces every full-seed token they had access to with a one-click rotation flow.

Is there an audit trail?

Every meaningful action is logged: authentication, code generation, seed views, permission changes, SMS reads, billing changes, organization settings. Logs are retained 365 days (7 years on Enterprise), tamper-evident via hash chain, exportable to CSV/JSON or streamed to your SIEM.

Where is data hosted?

US (default) or EU (Enterprise). Both regions are isolated, with no cross-region replication.

Subprocessors?

Listed and versioned at /legal/subprocessors. Includes AWS (S3, SES), Bandwidth, Telnyx, Inkress, and our hosting provider.

What's your security disclosure policy?

security@kaito.io. PGP key on /security. We commit to acknowledging within 24 business hours and remediating critical issues within 7 days.

Pen tests?

Annual third-party. Latest report available under NDA.

SOC 2?

Not yet. SOC 2 Type I is planned for 2026, with Type II to follow. We are happy to share our security architecture, threat model, and pen test summary under NDA in the meantime — email compliance@kaito.io.

Want the security whitepaper?

Email compliance@kaito.io and we'll send it. NDA on request.

Email usRead the security overview →