Security Policy

Skyes Over London LC · Last updated: March 1, 2026 · Reviewed quarterly

Security is foundational to kAIxU. This document describes the technical and organisational controls we implement to protect your data. To report a security vulnerability, email security@kaixu.app — we respond within 24 hours and operate a responsible disclosure process.

1. Infrastructure

Hosting

Application layer: Netlify (SOC 2 Type II certified). Serverless functions run in isolated Node.js 20 runtimes with no persistent process state.

Database

Neon PostgreSQL — encrypted at rest (AES-256), isolated per-project, automatic backups with point-in-time recovery. Read replicas optionally enabled.

AI Gateway

All AI inference routes through the proprietary kAIxU gateway — a hardened Cloudflare Worker. Vendor API keys never leave the gateway. Clients authenticate with short-lived Bearer tokens.

Network

All traffic requires TLS 1.2 minimum. HSTS enforced with 2-year max-age and preload. No plaintext HTTP accepted in production.

2. Authentication and Access Control

Control	Implementation	Status
Password hashing	bcrypt, adaptive cost factor 12	✓ Active
Session tokens	JWT HS256, 14-day expiry, server-side revocation	✓ Active
Multi-factor authentication	TOTP (RFC 6238); per-account, optional	✓ Active
SSO (enterprise)	SAML 2.0 + OIDC (Google, Microsoft, Okta); JIT provisioning	✓ Active
Role-based access	owner / admin / editor / viewer per workspace and org	✓ Active
Tenant isolation	All DB queries scope to authenticated org_id / user_id	✓ Active
Rate limiting	Sliding window rate limits on all auth, AI, and write endpoints	✓ Active
IP-based signup throttling	5 accounts per IP per hour	✓ Active

3. Data Protection

3.1 Encryption

In transit: TLS 1.2+ enforced on all connections. Cipher suite configured by Netlify CDN and Cloudflare (ECDHE + AES-GCM preferred).
At rest: AES-256 encryption at the storage layer (Neon infrastructure). Application-level secrets (JWT_SECRET, API keys) stored as encrypted environment variables, never in source code.
Passwords: bcrypt with cost factor 12. Plaintext passwords are never logged, stored in memory beyond the request, or transmitted.

3.2 Secrets Management

Production secrets (JWT_SECRET, KAIXU_GATE_TOKEN, STRIPE_SECRET_KEY, etc.) are stored exclusively in Netlify's encrypted environment variable store and Cloudflare Worker secrets. They are never committed to source control. Secrets that are compromised can be rotated without code deployment.

3.3 Token Security

AI gateway Bearer tokens are stored as SHA-256 hashes in the database — the plaintext is shown only once at creation. Compromised tokens can be revoked instantly from the admin dashboard. Tokens have configurable monthly call limits.

4. Application Security

Vulnerability Class	Control
SQL Injection	Parameterised queries exclusively (pg driver); no string concatenation in SQL
Cross-Site Scripting (XSS)	Content-Security-Policy header; no innerHTML with user content; output encoding
Cross-Site Request Forgery	JWT Bearer tokens (not cookies) for API auth; SameSite cookie attribute where cookies are used
Clickjacking	X-Frame-Options: SAMEORIGIN; frame-ancestors CSP directive
MIME sniffing	X-Content-Type-Options: nosniff on all responses
Missing auth on write endpoints	requireAuth() called at the top of every state-mutating function
Insecure dependencies	npm audit runs on every CI push; 0 vulnerabilities as of last audit
Information disclosure	Error messages do not leak stack traces or internal paths in production

5. Monitoring and Incident Response

5.1 Monitoring

Sentry — real-time error capture with alerting; all uncaught exceptions reported within seconds
Uptime monitoring — external HTTP checks with alerting for downtime events
Audit log — all auth events, org changes, admin actions, and AI calls logged with actor, timestamp, and IP
AI kill switch — POST /admin-kill-switch can disable all AI features globally within seconds

5.2 Incident Response

Event	Response Time	Action
Security vulnerability report	24 hours	Triage, reproduce, severity assessment, patch schedule
Confirmed critical vulnerability	72 hours	Emergency patch, affected customer notification
Suspected data breach	72 hours	Containment, forensic analysis, regulatory notification (GDPR Art. 33), customer notification
Service outage	15 minutes	Status page update, investigation, root cause analysis within 48 hours

6. Organisational Security

Principle of least privilege for internal system access — production DB access restricted to on-call engineers
All personnel with access to production systems have signed confidentiality agreements
Dependencies reviewed and updated monthly; critical security patches applied within 72 hours
Automated CI pipeline runs on every push; deployments blocked if tests fail

7. Responsible Disclosure

We welcome security researchers. If you discover a vulnerability:

Email security@kaixu.app with details
Do not publicly disclose until we have had reasonable time to respond and patch (typically 90 days)
Do not access, modify, or delete data belonging to other users
We acknowledge all valid reports and aim to provide fixes within 30 days for critical issues

We do not operate a bug bounty programme at this time, but we will acknowledge your contribution publicly if you wish.

8. Compliance Roadmap

Framework	Status	Notes
GDPR / UK GDPR	✓ Compliant	DPA available, SCCs in place for transfers, 72-hr breach notification
CCPA	✓ Compliant	Data deletion on request, no sale of personal data
SOC 2 Type II	Planned	Roadmap: formal audit within 12 months of GA launch
ISO 27001	Planned	Required for regulated-industry enterprise contracts
OWASP Top 10	✓ Addressed	All OWASP Top 10 categories reviewed and mitigated

9. Contact

Security reports: security@kaixu.app (PGP key available on request)
Data protection: privacy@kaixu.app