Security Policy

2.1 Hosting

• Application hosting: The Platform is hosted on Vercel, a SOC 2 Type II compliant hosting provider with global edge network distribution
• Database hosting: PostgreSQL databases are hosted on Supabase with managed infrastructure, automated backups, and connection pooling
• DNS management: DNS is managed through DNSimple with DNSSEC support

2.2 Network Security

• All data in transit is encrypted using TLS 1.2 or higher (HTTPS everywhere)
• API endpoints enforce HTTPS; HTTP requests are automatically redirected
• CORS policies are configured per project, restricting which domains can embed and interact with chat widgets
• Rate limiting is enforced on API endpoints to prevent abuse and denial-of-service attacks

2.3 Isolation

• Customer data is isolated at the organization level; multi-tenant architecture enforces strict boundaries between organizations
• Each Customer's Agents, Manifests, and configurations are scoped to their Organization
• Database queries are parameterized to prevent SQL injection

3.1 Encryption at Rest

• Customer-provided LLM API keys are encrypted using AES-256-GCM before storage
• Encryption keys are managed via environment variables and are not stored in source code or version control
• Database-level encryption is provided by Supabase's managed PostgreSQL infrastructure

3.2 Encryption in Transit

• All client-to-server communication uses TLS 1.2+
• All server-to-database communication uses SSL/TLS
• All communication with third-party services (Stripe, Supabase, LLM providers) uses HTTPS

4.1 Authentication

• User authentication is managed through Supabase Auth with JWT-based sessions
• Passwords are hashed using bcrypt (via Supabase)
• Session tokens are short-lived and refreshed automatically
• Authentication cookies use secure, HTTP-only, and SameSite attributes

4.2 Authorization

• Role-based access control: Users are assigned roles within their Organization
• Organization-scoped access: All data access is scoped to the authenticated user's Organization
• API authentication: External API requests to the chat endpoint support JWT verification via configurable JWKS endpoints
• Widget authentication: Embedded widgets can be configured for public or authenticated access per project

5.1 Customer Access

• Customers manage their own users and roles through the admin dashboard
• Admin seat limits are enforced per subscription tier (Starter: 1, Professional: 5, Enterprise: unlimited)
• All administrative actions are performed through authenticated sessions

5.2 Internal Access

• Kind Robots team access to production infrastructure follows the principle of least privilege
• Access to production databases, hosting platforms, and third-party service dashboards is restricted to authorized personnel

5.3 Third-Party Access

• Third-party service providers access only the data necessary for their function (see Privacy Policy Section 6)
• Subprocessor agreements are in place with all third-party providers

6.1 Rate Limiting

• API endpoints enforce per-project rate limits to prevent abuse
• Rate limits are calibrated by subscription tier
• Excessive requests receive HTTP 429 responses with retry-after headers

6.2 Input Validation

• All user inputs are validated and sanitized before processing
• API request payloads are validated against expected schemas
• URL inputs (e.g., OpenAPI import) are validated against allowlists, blocking private IP ranges, localhost, and cloud metadata endpoints (SSRF protection)

6.3 CORS

• CORS policies are configurable per project
• Customers specify allowed origins for their embedded widgets
• Wildcard subdomain matching is supported (e.g., *.example.com)
• Preflight requests are properly handled

6.4 Log Sanitization

• API keys, tokens, passwords, and other sensitive data are automatically redacted from all error messages, stack traces, and logs
• Error responses to clients contain generic messages; detailed error information is retained server-side only

7.1 Dependency Management

• Dependencies are regularly reviewed and updated
• Security advisories for dependencies are monitored

7.2 Code Review

• All code changes go through review before deployment
• Security-sensitive changes receive additional scrutiny

7.3 Patching

• Critical security vulnerabilities are patched as soon as possible after identification
• Non-critical security updates are applied during regular maintenance cycles

8.1 Detection

• Platform monitoring and alerting systems detect anomalous behavior
• Logging infrastructure captures security-relevant events

8.2 Containment

Upon detection of a security incident:

1. Affected systems or accounts are isolated immediately
2. Access tokens and credentials are rotated as needed
3. The scope and impact of the incident are assessed

8.3 Notification

• Affected Customers are notified within 72 hours of confirming a data breach, in accordance with GDPR requirements
• Notifications include the nature of the breach, data affected, measures taken, and recommended actions
• Relevant data protection authorities are notified as required by law

8.4 Remediation

• Root cause analysis is conducted for all security incidents
• Corrective measures are implemented to prevent recurrence
• Post-incident reports are prepared and shared with affected parties as appropriate

9.1 How to Report

• Email: security@kindrobots.ai
• Include a detailed description of the vulnerability
• Provide steps to reproduce the issue
• Include any proof-of-concept code (if applicable)

9.2 Guidelines

• Do not access, modify, or delete data belonging to other users
• Do not disrupt Platform availability
• Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it
• Make a good faith effort to avoid privacy violations

9.3 Our Commitment

• We will acknowledge receipt of your report within 2 business days
• We will provide an initial assessment within 5 business days
• We will not take legal action against researchers who follow these guidelines
• We will credit researchers (with permission) for reported vulnerabilities

10.1 Current Measures

• Organization-level data isolation
• Encryption at rest and in transit
• Access controls and authentication
• Audit logging [in progress]
• Incident response procedures

10.2 Frameworks Under Consideration

• SOC 2 Type II
• GDPR compliance (see Privacy Policy and Data Processing Agreement)
• CCPA compliance (see Privacy Policy)