Security at Kira
Security is built into how Kira is designed and operated. We encrypt your data, restrict and log access, monitor our systems continuously, and review our practices against recognized industry standards.
This page is a summary. The complete technical detail, certifications, and sub-processor list live on our Security & Compliance page in the legal section.
Highlights
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Least-privilege access with SSO and MFA on eligible plans.
- Continuous monitoring, logging, and a tested incident-response plan.
- A privacy-first default: we do not train models on your content unless you opt in.
- Regular vulnerability scanning and periodic penetration testing.
How we protect your data
| Layer | What we do |
|---|---|
| Encryption | TLS 1.2+ in transit; AES-256 at rest; managed keys with rotation. |
| Access | Least-privilege, role-based access; SSO and MFA; access is logged. |
| Infrastructure | Runs on AWS with isolated production environments. |
| Monitoring | Continuous logging, alerting, and 24/7 on-call response. |
| Data use | No model training on your content unless you opt in. |
Certifications and frameworks
| Framework | Status | Scope |
|---|---|---|
| SOC 2 Type II | In progress | Security, availability, confidentiality |
| ISO/IEC 27001 | Planned | Information security management |
| GDPR | Compliant | EU/EEA personal data |
| CCPA / CPRA | Compliant | California consumer privacy |
Sub-processors and data residency
We rely on a small set of vetted providers, each bound by data-protection terms. The current list, along with regional data-residency options, is maintained on the Security & Compliance page.
Responsible disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability, email security@kira.ai. We acknowledge reports promptly and will not pursue good-faith research conducted under our guidelines.
Standards and references
Frequently asked questions
Quick answers to common questions.
Eligible customers can request our security overview, sub-processor list, attestations, and DPA by emailing security@kira.ai.
No. We do not train models on your content unless you opt in, and never on business customer content.
Email security@kira.ai with details. We acknowledge promptly and protect good-faith research conducted under our guidelines.
Depending on your plan and region, US or EU data residency may be available. See the Security & Compliance page for current options.