Security

Your infrastructure. Not shared.

Every Kaimera customer runs on dedicated, isolated compute with zero exposed ports. The same isolation model used by banks — not the shared containers used by most SaaS.

How your data flows

Your Browser Fly.io Edge (TLS + DDoS) Encrypted Connection Your Dedicated Machine

Every request is encrypted with TLS 1.3 end-to-end. Your dedicated machine runs on Fly.io's global network with hardware-level isolation from every other customer.

Security Architecture

Built different, by design

Dedicated Fly.io Machines

Each customer gets their own Fly.io Machine with its own kernel, memory, and network stack. Not Docker containers on shared infrastructure — hardware-level isolation with persistent encrypted volumes.

Cloudflare Zero Trust

All traffic is encrypted with TLS 1.3 end-to-end. Every machine runs on Fly.io's global network with built-in DDoS protection and private networking between services.

Encryption Everywhere

TLS 1.3 on every connection. API keys and credentials stored in a service-role-only encrypted secrets table. No plaintext secrets ever touch application logs or client-facing responses.

Identity & Access Control

OAuth 2.0 with PKCE for all integrations. Row-level security on every database table ensures users can only access their own organization's data. Service-role isolation for sensitive operations.

Defense in Depth

Multiple layers: HSTS and security headers on every response, Fly.io private networking between services, token-authenticated gateway protocol, and timing-safe secret comparison.

Secure by Default

Security headers (HSTS, X-Frame-Options, CSP, Referrer-Policy, Permissions-Policy) enforced on every response. No camera, microphone, or geolocation permissions granted. HTTPS-only — no HTTP fallback.

Isolation Comparison

Not all "multi-tenant" is created equal

Security Property Shared Containers (most SaaS) Kaimera (Dedicated Machines)
Kernel isolation Shared kernel Separate kernel per customer
Memory isolation Namespace-level (software) Hardware-enforced (hypervisor)
Network stack Shared, partitioned Dedicated per customer
Blast radius of compromise All customers on host Single customer only
Side-channel attacks Possible (shared CPU cache) Mitigated (separate machine)
Independent patching Host-level only Per-customer machine lifecycle

In Practice

How we protect your data

Infrastructure

  • Dedicated Fly.io Machine per customer — not shared containers
  • Private networking — internal services never exposed publicly
  • TLS 1.3 on every connection — no plaintext traffic
  • Persistent encrypted volumes for customer workspace data
  • Automated golden image builds for consistent, hardened machines

Data Protection

  • TLS 1.3 on all connections — no HTTP fallback
  • API keys in service-role-only encrypted secrets table
  • Row-level security on every database table
  • OAuth 2.0 with PKCE for all third-party integrations
  • Timing-safe token comparison prevents timing attacks

Application Security

  • HSTS with includeSubDomains on every response
  • X-Frame-Options DENY prevents clickjacking
  • Strict Referrer-Policy and Permissions-Policy
  • No camera, microphone, or geolocation browser permissions
  • Parameterized queries — no SQL injection surface

Credentials & Secrets

  • All credentials stored in isolated, RLS-protected database table
  • Pushed to your dedicated machine over encrypted connection
  • Never logged, never included in error responses
  • Never shared with other customers or accessible cross-org
  • Integration tokens scoped to minimum required permissions

Compliance

Standards and certifications

SOC 2 Type II

In Progress

Infrastructure and practices designed for SOC 2 from day one. Formal audit underway.

GDPR

Compliant

EU data protection compliance. Data processing agreements available on request.

PCI DSS

Via Stripe

Payment processing handled entirely by Stripe. We never store or process card data.

Security questions?

We provide security documentation, data processing agreements, and can complete vendor security assessments for your team.

Contact Us security@kaimeraos.ai

0

Shared Compute

1:1

Dedicated Machine Per Customer

TLS 1.3

On Every Connection

Responsible Disclosure: We welcome security researchers. If you discover a vulnerability, please report it to security@kaimeraos.ai. We commit to acknowledging reports within 48 hours.