Security

Kai is a product under OnyxLabs, a brand operated by Onyx Management, LLC.

1. Data Encryption

In Transit

All data transmitted between your browser and Kai is encrypted using TLS 1.2 or higher. API communications are enforced over HTTPS with HSTS and security headers enabled. We do not support plaintext HTTP connections.

At Rest

Sensitive credentials (integration API keys, OAuth tokens, third-party connector secrets) are encrypted at the application level. Customer data stored in our managed Postgres benefits from infrastructure-level encryption provided by our database host.

2. Infrastructure

Kai runs on managed cloud infrastructure with the following characteristics:

• Hosted on cloud providers that maintain SOC 2 Type II certified data centers
• Provider-managed network isolation and security groups
• Managed database backups via our cloud database host
• Application-level rate limiting to mitigate abuse
• Infrastructure-as-code with version-controlled deployments
• Environment separation via configuration management

3. Tenant Isolation

Kai is a multi-tenant SaaS application with strict data isolation enforced at the application and database layers:

• Row-level isolation: every database table includes a tenant identifier, and every query is scoped to the requesting user’s tenant. There is no code path that returns data without a resolved user-tenant binding.
• No shared agent context: the agent specialists that run your GTM motion operate against your tenant’s context only. One customer’s data, brand voice, pipeline, or drafts are never accessible to, or commingled with, another customer’s.
• Per-tenant configuration: ICP, brand voice, sequences, integration credentials, and agent roster live in per-tenant configuration. We do not branch product behavior by tenant.
• Audit-grade history: agent actions (drafts created, emails sent, sequences advanced, content published) are logged with actor, timestamp, and tenant scope.

4. Access Controls

We enforce strict access controls at every layer:

• Application level: Role-based access control (RBAC) ensures users only see data they are authorized to access within their tenant.
• Internal access: Employee access to production systems follows the principle of least privilege, with multi-factor authentication required.
• Production change control: all changes to production code are made via pull request with mandatory reviewer approval and automated CI checks. Direct commits to production branches are blocked.
• Audit logging: permission changes are recorded in an append-only audit log; data-access and agent-action events are logged with actor, timestamp, and full lineage.
• Session management: Secure session handling with configurable timeout policies.

5. Authentication

Kai supports secure authentication:

• Secure password policies with industry-standard hashing
• Multi-factor authentication (MFA) via TOTP-based authenticator apps
• SSO integration (configurable per tenant on Enterprise tier)
• API authentication via time-limited bearer tokens

6. Data Processing and AI

Your GTM data is processed by Kai’s agent specialists with the following safeguards:

• Data isolation: Each customer’s data is logically isolated. One customer’s data is never accessible to another.
• No model training on customer data: Your data is not used to train shared AI models. Foundation models are applied to your data, not trained on it.
• AI processing disclosure: Drafting, classification, and reasoning features transmit data to Anthropic’s Claude API (and optionally OpenAI). Anthropic and OpenAI’s commercial API terms prohibit using customer data for model training.
• Approval gates: outbound emails, social posts, and other external communications surface as drafts for review before being sent. You can configure auto-send rules per agent and channel; the default is human review.
• Retention controls: You retain full ownership of your data. Upon contract termination, data can be exported via our data export endpoint or securely deleted upon request.

7. Data Retention and Deletion

Customer data lifecycle is governed by mutual contract terms and applicable legal requirements:

• Active retention: customer data is retained for the duration of the active contract.
• Customer-initiated export: customers may export contacts, pipeline, drafts, and reports at any time during the contract via the application.
• Customer-initiated deletion: customers may request account and data deletion at any time. Deletion is performed within 30 days of request unless a legal hold applies.
• Backups: managed database backups are retained per our database host’s standard policy and are subject to the same isolation and access controls as production data.
• Audit and security logs: retained to support investigation and compliance review.

8. Application Security

Our development practices include:

• Secure development lifecycle with code reviews required on all changes
• Input validation via schema enforcement and parameterized queries
• Automated dependency scanning (Dependabot) in CI
• Content Security Policy (CSP), HSTS, and other security headers on all responses
• Global API rate limiting to prevent abuse
• Structured error handling that does not expose implementation details to clients

9. Subprocessors

We use a small number of trusted infrastructure and AI providers to deliver Kai. We require an executed Data Processing Agreement with each subprocessor before any production customer data is processed; DPAs in force at the time of contract signature are available on request.

• Vercel — application hosting and edge network for the Kai web app.
• Supabase — managed Postgres, auth, and storage. Customer GTM data at rest.
• Stripe — subscription billing and payment processing.
• Anthropic — AI drafting, classification, and reasoning via the Claude API. Inputs are processed under Anthropic’s commercial API terms, which prohibit use of customer data for model training.
• OpenAI — optional AI fallback when configured. Same processing scope as Anthropic.
• Email and CRM integrations — where you connect them (e.g., Microsoft Graph, Google APIs, LinkedIn, prospecting providers), Kai transmits data to those services as instructed by your configured agents.

A current subprocessor list and copies of executed Data Processing Agreements are available on request. We notify customers of material changes to our subprocessor list with reasonable advance notice.

10. Incident Response

We are committed to transparent incident handling:

• Customer notification within 72 hours of confirmed data breaches, in compliance with GDPR requirements
• Post-incident review and remediation
• Structured logging and audit trails to support investigation

11. Compliance

Kai is committed to meeting the compliance requirements expected by enterprise customers:

• SOC 2 Type II: We are actively pursuing SOC 2 Type II certification. Our infrastructure and processes are designed to meet SOC 2 Trust Service Criteria for Security, Availability, and Confidentiality.
• GDPR: We support data subject rights including data export (portability) and account deletion (right to erasure).
• CCPA: We do not sell personal information. Users can request data export and account deletion at any time.

12. Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability in our services, please report it to us:

Email: legal@with-kai.ai

We ask that you:

• Provide sufficient detail for us to reproduce and fix the issue
• Allow reasonable time for remediation before public disclosure
• Do not access or modify other users’ data
• Do not disrupt service availability

We commit to acknowledging receipt within 2 business days and providing an initial assessment within 5 business days.

13. Questions

For security-related inquiries, security questionnaire responses, or to request copies of our Data Processing Agreements and subprocessor list, please contact:

Kai — a product under OnyxLabs, a brand operated by Onyx Management, LLC
Email: legal@with-kai.ai

We respond to security questionnaires (CAIQ-Lite, SIG Lite, vendor-specific) within 5 business days for active commercial conversations.

For general inquiries: hello@with-kai.ai