Guardian Baby · Security & Compliance

Your infrastructure.
Not shared.

Every Kaimera customer runs on dedicated, isolated compute. The same isolation model used by banks — not the shared containers used by most SaaS.

Your Browser Fly.io Edge (TLS + DDoS) Encrypted Connection Your Dedicated Machine

Security Architecture

Built different, by design

Guardian Baby doesn't sleep. Six layers of protection stand between your data and the outside world.

Per-Customer Pods

Each customer gets their own Fly.io Machine with its own kernel, memory, and network stack. Not Docker containers on shared infrastructure — hardware-level isolation with persistent encrypted volumes.

Encrypted Everywhere

TLS 1.3 on every connection. API keys and credentials stored in a service-role-only encrypted secrets table. No plaintext secrets ever touch application logs or client-facing responses.

Identity & Access

Supabase Auth with OAuth 2.0 and PKCE. Row-level security on every database table ensures users can only access their own organization's data. Service-role isolation for sensitive operations.

Defense in Depth

Multiple layers: HSTS and security headers on every response, Fly.io private networking between services, token-authenticated gateway protocol, and timing-safe secret comparison.

Integration Security

850+ app integrations via Composio with OAuth 2.0 and scoped permissions. Integration tokens never leave your dedicated pod. Callback URLs dynamically validated per origin.

Secure by Default

Security headers (HSTS, X-Frame-Options, CSP, Referrer-Policy, Permissions-Policy) enforced on every response. HTTPS-only — no HTTP fallback. Parameterized queries prevent SQL injection.

Isolation Comparison

Not all "multi-tenant" is equal

Security Property Shared Containers (most SaaS) Kaimera (Dedicated Machines)
Kernel isolation Shared kernel Separate kernel per customer
Memory isolation Namespace-level (software) Hardware-enforced (hypervisor)
Network stack Shared, partitioned Dedicated per customer
Blast radius All customers on host Single customer only
Side-channel attacks Possible (shared CPU cache) Mitigated (separate machine)
Independent patching Host-level only Per-customer machine lifecycle

In Practice

How we protect your data

Infrastructure

  • Dedicated Fly.io Machine per customer — not shared containers
  • Private networking — internal services never exposed publicly
  • TLS 1.3 on every connection — no plaintext traffic
  • Persistent encrypted volumes for customer workspace data
  • Automated golden image builds for consistent, hardened machines

Data Protection

  • TLS 1.3 on all connections — no HTTP fallback
  • API keys in service-role-only encrypted secrets table
  • Row-level security on every Supabase database table
  • OAuth 2.0 with PKCE for all third-party integrations
  • Timing-safe token comparison prevents timing attacks

Application Security

  • HSTS with includeSubDomains on every response
  • X-Frame-Options DENY prevents clickjacking
  • Strict Referrer-Policy and Permissions-Policy
  • No camera, microphone, or geolocation browser permissions
  • Parameterized queries — no SQL injection surface

Credentials & Secrets

  • All credentials stored in isolated, RLS-protected database table
  • Pushed to your dedicated machine over encrypted connection
  • Never logged, never included in error responses
  • Never shared with other customers or accessible cross-org
  • Integration tokens scoped to minimum required permissions

Compliance

Standards and certifications

SOC 2 Type II

In Progress

Infrastructure and practices designed for SOC 2 from day one. Formal audit underway.

GDPR

Compliant

EU data protection compliance. Data processing agreements available on request.

PCI DSS

Via Stripe

Payment processing handled entirely by Stripe. We never store or process card data.

0
Shared Compute
1 : 1
Dedicated Machine Per Customer
TLS 1.3
On Every Connection

Security questions?

We provide security documentation, data processing agreements, and can complete vendor security assessments for your team.

Contact Us security@kaimeraos.ai

Responsible Disclosure

We welcome security researchers. If you discover a vulnerability, please report it to security@kaimeraos.ai. We commit to acknowledging reports within 48 hours.

Guardian Baby watches the perimeter

Trust is earned.

Your data runs on your machine. Not ours. Not anyone else's.

Start Free Meet Your Team