KAIROVEL
SECURITY POLICY
Effective Date: February 26, 2026
Version 1.0
Our Commitment: Kairovel treats the security of your data as a foundational priority, not an afterthought. We implement industry-standard security controls and continuously review our practices to protect your information.
1. INTRODUCTION AND PURPOSE
This Security Policy ("Policy") describes the technical and organizational security measures that Kairovel ("Company", "we", "us") implements to protect user data and maintain the integrity, confidentiality, and availability of the Kairovel Service.
This Policy applies to all systems, infrastructure, personnel, and processes involved in the delivery of the Kairovel desktop application and related services. It is designed to inform users about our security practices and our commitment to protecting sensitive information, including audio recordings, transcripts, screen data, and personal account information.
Kairovel is a neutral AI productivity tool. Our security obligations extend to protecting the data you generate while using the Service. The contexts in which you choose to use the Service are governed by our Terms and Conditions, under which you bear sole responsibility for ensuring your use is appropriate in your specific context.
This Policy is subject to change at any time. Material updates will be reflected in the Effective Date above. Continued use of the Service constitutes acceptance of the updated Policy.
1.1 Compliance Standards
Kairovel is committed to maintaining alignment with globally recognized data protection and security frameworks. Our security practices are designed and implemented to maintain compliance with the following standards and regulations:
General Data Protection Regulation (GDPR): We comply with GDPR requirements governing the collection, processing, storage, and transfer of personal data of individuals in the European Economic Area and United Kingdom. This includes lawful basis for processing, data subject rights, data minimization, and breach notification obligations.
California Consumer Privacy Act (CCPA): We comply with CCPA requirements providing California residents with rights over their personal information, including the right to know, right to delete, and right to opt out of the sale of personal information. Kairovel does not sell personal information.
SOC 2 (Service Organization Control 2): Our infrastructure and operational practices are built to meet SOC 2 Trust Service Criteria covering security, availability, processing integrity, confidentiality, and privacy. We implement the security controls, audit logging, access management, and operational practices that align with SOC 2 standards across our systems.
ISO 27001: Our information security management system follows ISO 27001 principles for establishing, implementing, maintaining, and continually improving information security. This encompasses risk assessment and treatment, access control policies, incident management procedures, business continuity planning, and regular security reviews — all consistent with ISO 27001 requirements.
Compliance Note: Kairovel maintains security and privacy practices consistent with GDPR, CCPA, SOC 2, and ISO 27001 standards. These are living commitments — we continuously review and strengthen our practices as security standards and threats evolve.
2. DATA ENCRYPTION
2.1 Encryption in Transit
All data transmitted between your device and Kairovel servers is encrypted using Transport Layer Security (TLS) version 1.2 or higher. This includes:
• All API communications between the Kairovel desktop application and our backend servers
• Audio data streamed for real-time transcription and processing
• Screen context data transmitted for AI analysis
• Account authentication and session management communications
• Document uploads and knowledge base synchronization
We enforce HTTPS-only connections and reject unencrypted connections. We implement HTTP Strict Transport Security (HSTS) to prevent downgrade attacks.
2.2 Encryption at Rest
Data stored on Kairovel servers is protected using AES-256 encryption, one of the strongest encryption standards available. This applies to:
• User account information and authentication credentials
• Session transcripts, summaries, and notes stored in your knowledge base
• Uploaded documents and knowledge base files
• Database records containing user data and session metadata
Encryption keys are managed using industry best practices, including key rotation policies and separation of key management from encrypted data storage.
2.3 Audio and Screen Data
Audio captured during sessions is processed using encrypted channels. Raw audio data is handled with particular care:
• Audio streams are transmitted over encrypted connections exclusively
• Transcription processing occurs in isolated, secure environments
• Raw audio is processed in memory where technically feasible and is not permanently stored in raw form beyond what is necessary for transcription
• Processed transcripts are stored with the same encryption standards applied to all stored data
3. AUTHENTICATION AND ACCESS CONTROL
3.1 User Authentication
Kairovel implements secure authentication practices to protect user accounts:
• Passwords are hashed using strong one-way hashing algorithms (bcrypt with appropriate cost factor) — we never store plaintext passwords
• Secure, time-limited authentication tokens are used for session management
• Session tokens are invalidated upon logout and after periods of inactivity
• We support and encourage the use of strong, unique passwords
• Where supported, multi-factor authentication (MFA) options are available to enhance account security
3.2 Internal Access Controls
Access to user data within Kairovel's internal systems is strictly controlled:
• We operate on a least-privilege access model — employees and systems are granted only the minimum access necessary to perform their functions
• Access to production systems and user data is restricted to authorized personnel with a demonstrated business need
• All internal access is logged and subject to periodic review
• Administrative access requires additional authentication factors
• Access privileges are reviewed and revoked promptly when no longer required
3.3 Third-Party Access
Third-party service providers who have access to user data as part of providing their services are:
• Subject to data processing agreements that restrict their use of data to providing services to Kairovel
• Required to maintain security standards consistent with or exceeding those described in this Policy
• Evaluated for their security posture prior to engagement
4. INFRASTRUCTURE AND OPERATIONAL SECURITY
4.1 Cloud Infrastructure
Kairovel's backend infrastructure is hosted on reputable cloud service providers that maintain industry-recognized security certifications. Our infrastructure security includes:
• Deployment in secure, geographically distributed data centers with physical access controls
• Network segmentation to isolate sensitive systems and data
• Firewalls and intrusion detection systems to monitor and block unauthorized access attempts
• Regular patching and updates to operating systems, dependencies, and application components
• Automated vulnerability scanning of infrastructure components
4.2 Application Security
Our development and deployment practices incorporate security throughout the software development lifecycle:
• Secure coding practices and code review processes to identify and remediate security vulnerabilities
• Regular dependency audits to identify and address known vulnerabilities in third-party libraries
• Input validation and output encoding to prevent injection attacks
• Protection against common web application vulnerabilities including those identified in the OWASP Top 10
• Separation of development, staging, and production environments
4.3 Monitoring and Logging
Kairovel maintains comprehensive monitoring and logging to detect and respond to security events:
• Continuous monitoring of system performance, availability, and security metrics
• Security event logging for authentication attempts, access events, and system changes
• Automated alerting for anomalous activity patterns
• Log retention for security investigation and compliance purposes
• Regular review of security logs by authorized personnel
5. AUDIO AND SCREEN DATA SECURITY — SPECIAL PROVISIONS
Sensitive Data Notice: Audio recordings and screen content are among the most sensitive types of data Kairovel processes. We apply heightened security controls to this data given its sensitive nature.
5.1 Audio Data Security
Given the sensitive nature of audio recordings, we implement the following specific controls:
• Audio capture is activated only upon explicit user action — there is no passive or background audio monitoring
• Audio streams are encrypted end-to-end from your device to our processing servers
• Audio processing occurs in isolated, secure compute environments
• Access to audio data and transcripts is restricted to the account owner
• Audio data is not shared with or sold to advertising networks or data brokers under any circumstances
• Users may delete their audio-derived transcripts and session data at any time through the application
5.2 Screen Content Security
Screen context processing is subject to the following security measures:
• Screen capture is activated only upon explicit user action — no passive screen monitoring occurs
• Screen content data is transmitted over encrypted connections only
• Screen data is processed for the purpose of providing AI assistance and is not used for advertising or profiling
• Screen content is not permanently stored beyond what is necessary for the immediate AI assistance function
6. DATA BACKUP AND RECOVERY
Kairovel maintains data backup and recovery capabilities to ensure service continuity and protect against data loss:
• Regular automated backups of user data and system databases
• Backups are encrypted using the same standards applied to primary data storage
• Backup integrity is verified through regular restoration testing
• Geographic redundancy to protect against regional infrastructure failures
• Defined recovery time and recovery point objectives to minimize data loss in the event of an incident
7. INCIDENT RESPONSE AND BREACH NOTIFICATION
7.1 Incident Response
Kairovel maintains an incident response plan to address security incidents promptly and effectively. Our response process includes:
• Immediate containment and isolation of affected systems upon detection of a security incident
• Investigation to determine the scope, cause, and impact of the incident
• Remediation of the root cause and implementation of measures to prevent recurrence
• Post-incident review and documentation to improve our security posture
7.2 Breach Notification
In the event of a data breach that affects your personal information, Kairovel will:
• Notify affected users without undue delay and within the timeframes required by applicable law (including within 72 hours of discovery as required under GDPR where applicable)
• Provide clear information about the nature of the breach, categories of data affected, and steps taken in response
• Notify relevant regulatory authorities as required by applicable law
• Provide guidance on steps users can take to protect themselves
Breach Notification Commitment: We commit to transparent and timely communication with affected users in the event of any security incident that compromises their personal data. We will never attempt to conceal or minimize a material security incident.
8. VULNERABILITY DISCLOSURE
8.1 Responsible Disclosure
Kairovel is committed to working with the security research community to identify and address security vulnerabilities. If you discover a potential security vulnerability in the Kairovel Service, we encourage responsible disclosure:
• Do not exploit the vulnerability or access data beyond what is necessary to demonstrate the issue
• Do not publicly disclose the vulnerability before we have had a reasonable opportunity to investigate and remediate it
• Provide us with sufficient detail to reproduce and understand the vulnerability
• Report the vulnerability through our official security contact channel (to be provided at kairovel.com)
We will acknowledge receipt of your report, investigate the issue promptly, and keep you informed of our progress. We will not pursue legal action against researchers who act in good faith in accordance with these guidelines.
8.2 Scope
Our vulnerability disclosure program covers security vulnerabilities in the Kairovel desktop application, web application, and associated API endpoints. It does not cover social engineering attacks, physical security issues, or vulnerabilities in third-party services outside our control.
9. THIRD-PARTY SECURITY
Kairovel relies on third-party services including AI model providers, cloud infrastructure providers, and payment processors. We take the following steps to manage third-party security risk:
• Due diligence review of security practices before engaging third-party providers
• Data processing agreements that impose security obligations on third parties who process user data
• Preference for providers with recognized security certifications and strong security track records
• Limiting the scope of data shared with third parties to what is strictly necessary
• Regular review of third-party relationships and access privileges
A list of key third-party service providers and their roles will be maintained and made available upon request through our contact channels at kairovel.com.
10. USER SECURITY RESPONSIBILITIES
While Kairovel implements robust security controls, users also play an important role in maintaining the security of their accounts and data:
Your Security Responsibilities: Security is a shared responsibility. The measures below are within your control and significantly contribute to the overall security of your account.
• Use a strong, unique password for your Kairovel account that you do not use for other services
• Enable multi-factor authentication if available for your account type
• Keep your device operating system and Kairovel application updated to the latest versions
• Do not share your account credentials with others
• Log out of your account when using shared or public devices
• Be cautious of phishing attempts — Kairovel will never ask for your password via email or chat
• Report any suspicious activity related to your account promptly
• Ensure you comply with applicable recording consent laws when using audio features
11. LIABILITY IN THE EVENT OF A SECURITY BREACH OR CYBERATTACK
IMPORTANT — Please Read Carefully: This section defines the allocation of legal responsibility between Kairovel and its users in the event of a security incident, unauthorized access, cyberattack, or data breach. By using the Service, you acknowledge and agree to the terms set out below.
11.1 Kairovel's Obligations
Kairovel commits to implementing and maintaining industry-standard security measures as described in this Policy, including encryption, access controls, monitoring, and incident response procedures. In the event of a confirmed security breach affecting user data, Kairovel agrees to:
• Investigate the incident promptly and take all reasonable steps to contain and remediate it
• Notify affected users and relevant regulatory authorities as required by applicable law and within legally mandated timeframes
• Provide transparent information about the nature, scope, and impact of the breach
• Take corrective measures to prevent recurrence of similar incidents
11.2 Limitation of Kairovel's Liability for Security Incidents
NOTWITHSTANDING KAIROVEL'S SECURITY COMMITMENTS, YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT:
No security system is impenetrable. Despite implementing reasonable and industry-standard security measures, Kairovel cannot guarantee that unauthorized third parties will never be able to defeat those measures or gain access to user data. Cyberattacks, including sophisticated nation-state attacks, zero-day exploits, and supply chain compromises, may occur despite our best efforts and may be beyond our reasonable control.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, KAIROVEL SHALL NOT BE LIABLE FOR ANY LOSS, DAMAGE, OR HARM — INCLUDING BUT NOT LIMITED TO LOSS OF DATA, FINANCIAL LOSS, REPUTATIONAL HARM, OR CONSEQUENTIAL DAMAGES — RESULTING FROM: (A) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR DATA BY THIRD PARTIES DUE TO A CYBERATTACK, HACKING INCIDENT, OR SECURITY BREACH THAT OCCURS DESPITE KAIROVEL'S IMPLEMENTATION OF REASONABLE SECURITY MEASURES; (B) SECURITY VULNERABILITIES IN THIRD-PARTY SERVICES, INFRASTRUCTURE PROVIDERS, OR AI MODEL PROVIDERS THAT ARE OUTSIDE KAIROVEL'S DIRECT CONTROL; (C) YOUR FAILURE TO MAINTAIN THE SECURITY OF YOUR OWN ACCOUNT CREDENTIALS, DEVICES, OR NETWORK; OR (D) FORCE MAJEURE EVENTS INCLUDING BUT NOT LIMITED TO LARGE-SCALE INFRASTRUCTURE ATTACKS, GOVERNMENTAL ACTIONS, OR OTHER EVENTS BEYOND OUR REASONABLE CONTROL.
11.3 User Responsibility for Account Security
You bear sole and exclusive responsibility for any security incident that results from: (a) your disclosure of your account credentials to any third party; (b) your use of a weak, reused, or compromised password; (c) your failure to log out of shared or public devices; (d) your installation of malware, spyware, or other malicious software on your device; or (e) your failure to apply available security updates to your device or the Kairovel application. Kairovel shall have no liability whatsoever for security incidents caused or contributed to by your own actions or omissions.
11.4 Third-Party and Infrastructure Breaches
Kairovel relies on third-party cloud infrastructure, AI model providers, and other service providers to deliver the Service. While we carefully select providers with strong security credentials and bind them to contractual security obligations, Kairovel cannot be held liable for security incidents that originate within or are caused by those third-party systems. In the event of a breach by a third-party provider, Kairovel will cooperate fully with any investigation, notify affected users as required, and take all commercially reasonable steps to mitigate impact. However, Kairovel's liability in such circumstances shall be limited as set out in our Terms and Conditions.
11.5 Shared Responsibility Model
The security of the Service operates on a shared responsibility model:
• Kairovel is responsible for: the security of the application itself, server infrastructure, data transmission, stored data encryption, access controls, and incident response
• Users are responsible for: the security of their own devices, network environments, account credentials, and compliance with applicable laws governing their use of recording and AI features
• Third-party providers are responsible for: the security of their own platforms and infrastructure, governed by their own terms and security certifications
Honest Acknowledgment: We will always be transparent with you if a security incident occurs. We will never hide a breach or minimize its impact. However, in recognition that no system is completely immune to sophisticated attacks, our legal liability for such incidents is limited as described above. This limitation is an essential and reasonable condition of providing the Service at its current price point.
12. CHILDREN'S DATA SECURITY
The Kairovel Service is not directed to children under the age of 13. We do not knowingly collect, process, or store personal data from children under 13. If we become aware that we have inadvertently collected data from a child under 13, we will take immediate steps to delete such data. If you believe we may have collected data from a child, please contact us through our website.
13. SECURITY UPDATES AND POLICY CHANGES
Security threats and best practices evolve continuously. Kairovel reviews and updates its security practices on an ongoing basis. This Security Policy will be updated to reflect material changes in our security practices.
WE RESERVE THE RIGHT TO MODIFY THIS SECURITY POLICY AT ANY TIME. Updates will be reflected in the Effective Date at the top of this document. Your continued use of the Service following any updates constitutes acceptance of the revised Policy. We encourage you to review this Policy periodically.
14. CONTACT AND REPORTING
To report a security vulnerability, concern, or incident, or to ask questions about this Security Policy, please contact us through the official Kairovel website. Security contact details will be published and maintained at kairovel.com.
For urgent security matters, please clearly mark your communication as "SECURITY — URGENT" so it can be prioritized appropriately.
© 2025 Kairovel. All Rights Reserved. Security is our commitment.