Our approach to security
Security is built into how Kira is designed, not added at the end. We follow the principle of least privilege, encrypt data by default, monitor our systems continuously, and review our practices against recognized industry standards.
Infrastructure
Kira runs on Amazon Web Services (AWS) in data centers that maintain leading physical and environmental security controls. Production systems are isolated from development environments, and access to infrastructure is restricted, logged, and reviewed.
Encryption
- Data in transit is encrypted using TLS 1.2 or higher.
- Data at rest is encrypted using AES-256.
- Secrets and keys are managed through a dedicated key management service with regular rotation.
Access controls
- Single sign-on (SSO) and multi-factor authentication (MFA) are available on eligible plans.
- Internal access to customer data is limited to staff who need it for support or operations and is logged.
- Role-based access controls govern what each team member can see and do inside your workspace.
Certifications and frameworks
We align our program with widely recognized frameworks and pursue independent attestation as we scale.
| Framework | Status | Scope |
|---|---|---|
| SOC 2 Type II | In progress | Security, availability, confidentiality |
| ISO/IEC 27001 | Planned | Information security management |
| GDPR | Compliant | EU/EEA personal data |
| CCPA / CPRA | Compliant | California consumer privacy |
Certification statuses above are illustrative placeholders. Update them to reflect your current attestations before publishing.
Sub-processors
We rely on a small set of vetted providers to deliver the service. Each is bound by data-processing terms consistent with our obligations to you.
| Provider | Service | Region |
|---|---|---|
| Amazon Web Services | Cloud infrastructure and storage | US / EU |
| Stripe | Payment processing | US / EU |
| A model provider | Large language model inference | US |
| An email delivery provider | Transactional email | US |
Vulnerability management
We scan our systems for vulnerabilities, patch on a risk-based schedule, and run periodic penetration tests. We welcome reports from security researchers through our Responsible Disclosure process.
Incident response
We maintain an incident-response plan and a 24/7 on-call rotation. If a security incident affects your data, we will notify you without undue delay and within the timeframes required by applicable law. Contact security@kira.ai for security questions.
Standards and references
Our security program is informed by the following recognized standards and authorities:
Frequently asked questions
Quick answers to common questions.
Data is stored on AWS infrastructure. Depending on your plan and region, you may be able to choose a US or EU storage region.
Yes. Data is encrypted in transit with TLS 1.2+ and at rest with AES-256.
Customers on eligible plans can request our security overview, sub-processor list, and applicable attestations by contacting security@kira.ai.
Please email security@kira.ai with details. We acknowledge reports promptly and will not pursue good-faith research conducted under our disclosure guidelines.