Security

1.1 Encryption in Transit (TLS/SSL)

All data transmitted between your browser and our servers is protected using:

• TLS 1.3: The latest and most secure transport layer security protocol
• HTTPS Everywhere: All connections are encrypted by default (no HTTP fallback)
• Perfect Forward Secrecy (PFS): Unique session keys prevent decryption of past sessions
• HSTS Enabled: HTTP Strict Transport Security enforces encrypted connections

1.2 Encryption at Rest (AES-256)

All stored data is encrypted using industry-standard algorithms:

• AES-256 Encryption: Military-grade encryption for all database records
• Encrypted Storage: Contact lists, call recordings, and user data encrypted at rest
• Secure Backups: All backups are encrypted and stored in geographically distributed locations
• Key Management: Encryption keys are stored separately and rotated regularly

1.3 End-to-End Protection

Your sensitive data (passwords, API keys, payment information) is encrypted using bcrypt hashing and AES-256 encryption before storage. We cannot decrypt your passwords - only you can reset them.

2.1 User Authentication

• Multi-Factor Authentication (MFA): Optional 2FA via email or authenticator apps
• OAuth 2.0: Secure third-party login via Google, GitHub (optional)
• Session Management: JWT tokens with short expiration times and automatic refresh
• Rate Limiting: Protection against brute-force attacks (max 5 attempts per 15 minutes)
• Password Requirements: Minimum 8 characters, must include uppercase, lowercase, numbers

2.2 Role-Based Access Control (RBAC)

Access to data and features is restricted based on user roles:

• User Isolation: Your data is completely isolated from other users
• Least Privilege: Users only have access to resources they need
• Team Permissions: Granular permissions for team members (Admin, Member, Viewer)
• API Key Scoping: API keys can be restricted to specific actions

2.3 Internal Access Controls

Kolz.AI employees have limited access to customer data. Access is logged, monitored, and granted only when necessary for support or troubleshooting (with your explicit permission).

3.1 Cloud Infrastructure

• Supabase (PostgreSQL): Enterprise-grade database with SOC 2 Type II compliance
• Vercel (Frontend Hosting): Edge network with DDoS protection and automatic SSL
• Content Delivery Network (CDN): Global edge servers for fast, secure content delivery
• Geographic Redundancy: Data replicated across multiple availability zones

3.2 Network Security

• Firewall Protection: Advanced firewall rules to block malicious traffic
• DDoS Mitigation: Automatic protection against distributed denial-of-service attacks
• Intrusion Detection: 24/7 monitoring for suspicious activity
• IP Whitelisting: Option to restrict API access to specific IP addresses

3.3 Application Security

• Input Validation: All user inputs are sanitized to prevent injection attacks
• CSRF Protection: Cross-Site Request Forgery tokens on all state-changing requests
• XSS Prevention: Content Security Policy (CSP) and output encoding
• SQL Injection Protection: Parameterized queries and ORM usage
• Dependency Scanning: Automated vulnerability scanning of all third-party libraries

4.1 Compliance Standards

• GDPR (EU): General Data Protection Regulation compliance for European users
• CCPA (California): California Consumer Privacy Act compliance
• SOC 2 Type II: Infrastructure partners (Supabase) are SOC 2 certified
• PCI DSS: Payment Card Industry standards (via payment processor partners)

4.2 Data Retention and Deletion

• Account Deletion: Delete your account and all associated data within 90 days
• Right to be Forgotten: Request complete data deletion (GDPR compliance)
• Automatic Purging: Temporary files and logs deleted after 30 days
• Secure Deletion: Data wiped using industry-standard erasure methods

4.3 Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all third-party service providers to ensure they meet our security and privacy standards. Enterprise customers can request a custom DPA.

5.1 24/7 Monitoring

• Real-Time Alerts: Automated alerts for suspicious activity or anomalies
• Security Information and Event Management (SIEM): Centralized logging and analysis
• Uptime Monitoring: Continuous monitoring of service availability
• Performance Metrics: Track API response times and error rates

5.2 Incident Response Plan

In the event of a security incident, we follow a structured response process:

1. Detection: Automated systems or security team identifies potential threat
2. Assessment: Evaluate severity, scope, and impact within 1 hour
3. Containment: Isolate affected systems to prevent spread
4. Eradication: Remove threat and patch vulnerabilities
5. Recovery: Restore services and verify integrity
6. Notification: Inform affected users within 72 hours (as required by GDPR)
7. Post-Mortem: Analyze incident and improve security measures

5.3 Breach Notification

If a data breach occurs that may affect you, we will notify you via email within 72 hours and provide details about:

• What data was compromised
• Steps we've taken to address the breach
• Recommended actions for you to take
• Contact information for further assistance

6. Secure Development Practices

6.1 Code Security

• Code Reviews: All code changes undergo peer review before deployment
• Static Analysis: Automated scanning for security vulnerabilities in code
• Dependency Management: Regular updates and vulnerability scanning of dependencies
• Secret Management: API keys and secrets stored in secure vaults (not in code)

6.2 Testing and Quality Assurance

• Penetration Testing: Annual third-party security audits
• Automated Testing: Continuous integration with security checks
• Bug Bounty Program: Rewards for responsible vulnerability disclosure (planned)

6.3 Deployment Security

• Blue-Green Deployments: Zero-downtime updates with rollback capability
• Immutable Infrastructure: Servers replaced, not modified, reducing attack surface
• Audit Logging: All deployments logged for traceability

7. Third-Party Security

We carefully vet all third-party services and ensure they meet our security standards:

• Supabase (Database & Auth): SOC 2 Type II, ISO 27001, HIPAA-ready infrastructure
• Vapi.ai (Voice AI): Enterprise-grade voice platform with data encryption
• Dodo Payments: PCI DSS compliant payment processing
• Vercel (Hosting): SOC 2 certified, DDoS protection, global CDN

8. Your Security Responsibilities

Security is a shared responsibility. To keep your account secure:

• Use Strong Passwords: Avoid common passwords and use a password manager
• Enable 2FA: Activate two-factor authentication in your account settings
• Keep Credentials Private: Never share your password or API keys
• Report Suspicious Activity: Contact us immediately if you notice unauthorized access
• Update Software: Keep your browser and operating system up to date
• Verify Emails: Be cautious of phishing attempts - we never ask for passwords via email

While Kolz.AI is a growing startup, we rely on enterprise-grade infrastructure providers with the following certifications:

• SOC 2 Type II: Via Supabase and Vercel
• ISO 27001: Information security management (infrastructure partners)
• GDPR Compliant: Data protection for EU residents
• PCI DSS: Payment card security (via payment processors)

We are working toward obtaining direct SOC 2 certification and will update this page accordingly.

10. Responsible Vulnerability Disclosure

If you discover a security vulnerability, please help us keep Kolz.AI secure by:

1. Email us at security@kolz.ai with details
2. Provide a clear description and steps to reproduce the issue
3. Allow us reasonable time to address the vulnerability before public disclosure
4. Do not exploit the vulnerability beyond what's necessary to demonstrate it

We appreciate responsible disclosure and will acknowledge your contribution (with your permission).

For security-related inquiries, please contact us: