Security Overview

Security is foundational to how KairosAI Technologies Private Limited, a company incorporated under the Companies Act, 2013 with its registered office at Flat No. E-506, Pristine Allure, S.No. 20/2A, Vadgaon Sheri, Pune City, Pune – 411014, Maharashtra, India (“KairosAI”, “we”, “us”, “our”), builds and operates the KairosAI multimodal, AI-powered customer-service agent platform (the “Service”), which handles conversations across voice (including PSTN telephony), WhatsApp, email, and web chat for businesses. This overview describes the safeguards we have in place. We have written it to be candid: it states what we do, and it does not claim certifications or controls we do not currently hold.

Our security programme is designed to meet the “reasonable security safeguards” expected under India’s Digital Personal Data Protection Act, 2023 (the “DPDP Act”), read with the Information Technology Act, 2000 and the rules made thereunder. How we handle personal data more generally is described in our Privacy Policy, and the controls that apply when we process data on behalf of a customer are set out in our Data Processing Addendum.

1. Data residency & hosting

The Service is hosted on Amazon Web Services (AWS) in the Mumbai region (ap-south-1). Customer account data, billing records, and conversation data processed by the Service reside in India. We rely on AWS’s physical and environmental security for the underlying data-centre infrastructure (including facility access controls, power, and redundancy) and operate our application and data layers on top of that infrastructure. Certain sub-processors — for example, some large-language-model providers — may process data outside India; where that occurs we apply appropriate contractual safeguards and act in accordance with the DPDP Act, as described in our Privacy Policy.

2. Encryption

We encrypt customer data both in transit and at rest.

• In transit — all traffic between your browser or systems and the Service is protected with TLS. Internal service-to-service traffic within our environment is likewise carried over encrypted channels.
• At rest — databases, object storage, and backups are encrypted at rest. Application secrets and sensitive configuration values are additionally protected with AES-GCM authenticated encryption.

3. Multi-tenant isolation

KairosAI is a multi-tenant platform. We enforce isolation between tenants at the database layer using PostgreSQL row-level security (RLS), so that queries are constrained to a single tenant’s rows and one customer’s data cannot be read or written by another. This control is applied centrally rather than relying on individual application queries to filter correctly, which reduces the risk of cross-tenant data exposure.

4. Access control & least privilege

We follow the principle of least privilege. Access to production systems and customer data is restricted to the personnel who need it to operate and support the Service, and is granted at the minimum level required. Application and infrastructure secrets — such as database credentials, API keys, and signing keys — are stored in AWS Systems Manager (SSM) Parameter Store and protected with AES-GCM encryption, rather than being hard-coded or distributed in source code. Administrative access to our cloud environment is controlled through scoped identity and access-management roles.

5. Network & perimeter controls

The Service runs within a controlled cloud network with defence-in-depth at the perimeter:

• Security groups — network access to our compute and data resources is restricted by AWS security groups that allow only required ports and sources, with public exposure minimised.
• Web Application Firewall (WAF) — a WAF is applied at our content delivery network (CDN) edge to filter common web-application attacks and abusive traffic before it reaches the application.
• Transport security — the public edge terminates TLS and serves the Service over HTTPS.

6. Logging, monitoring & backups

We maintain audit and security logging across the platform to record relevant access and administrative events, which supports investigation and accountability. We take regular backups of critical data to enable recovery in the event of data loss or corruption, and we monitor for operational and security events so that we can respond in a timely way. Security and diagnostic logs are retained for a limited period appropriate to detect, investigate, and respond to incidents, as described in our Privacy Policy.

7. Payments & card data

Billing on KairosAI uses a prepaid wallet in Indian Rupees: you top up your wallet in advance, and metered usage (such as voice minutes and messages) is debited against the balance. Wallet top-ups and payments are processed by Razorpay, a PCI-DSS compliant payment processor. Card and other sensitive payment credentials are handled by Razorpay within its compliant environment and never touch KairosAI servers — we receive only payment references and status needed to reconcile your wallet. Fees are exclusive of applicable taxes; KairosAI is not currently registered for Goods and Services Tax, and GST will be charged with tax invoices issued if and when KairosAI becomes GST-registered.

8. Alignment with the DPDP Act, 2023

The safeguards described here are intended to satisfy the obligation under the DPDP Act to protect personal data with reasonable security safeguards. Where KairosAI processes personal data on behalf of a business customer, the customer is the Data Fiduciary and KairosAI acts as a Data Processor on the customer’s documented instructions under our Data Processing Addendum. In the event of a personal data breach, we will act in accordance with the DPDP Act, including notifying affected parties and the Data Protection Board of India as required, and assisting our customers with their corresponding obligations.

9. Our security posture & what we do not claim

We believe in being precise about our maturity. KairosAI is an early-stage company and we are continuously strengthening our controls. As of the date above, we do not hold SOC 2, ISO/IEC 27001, or PCI-DSS certification in our own name, and we do not represent ourselves as certified under those frameworks. Card-data compliance is achieved by routing all card processing to Razorpay, our PCI-DSS compliant payment processor, so that regulated cardholder data never reaches our systems. We are committed to maturing our programme over time and will update this page as our posture evolves.

10. Customer responsibilities

Security is a shared responsibility. We ask customers to help protect their accounts by using strong, unique credentials, restricting and reviewing access within their own organisation, configuring data-retention settings appropriately for their use case, and complying with applicable requirements when sending commercial communications — including TRAI and DLT registration obligations for messaging — as set out in our Terms & Conditions.

11. Responsible disclosure

We welcome reports from security researchers and users who identify potential vulnerabilities in the Service. If you believe you have found a security issue, please report it to us at hello@trykairos.in with enough detail to reproduce and assess the issue. We ask that you:

• give us a reasonable opportunity to investigate and remediate before any public disclosure;
• avoid privacy violations, data destruction, service degradation, and any access to or modification of data that does not belong to you; and
• act in good faith and within applicable law, including the Information Technology Act, 2000.

We will acknowledge legitimate reports, work to remediate confirmed issues promptly, and keep you informed of our progress. We do not currently operate a paid bug-bounty programme, but we are grateful for responsible disclosures and will credit researchers where appropriate and agreed.

12. Governing law & jurisdiction

This Security Overview is governed by the laws of India. Subject to any arbitration agreed in our Terms & Conditions (seated at Pune, Maharashtra, conducted in English, under the Arbitration and Conciliation Act, 1996), the courts at Pune, Maharashtra shall have exclusive jurisdiction over any dispute arising out of or in connection with this page.

13. Changes to this overview

We may update this Security Overview from time to time as our practices and infrastructure evolve. The “Last updated” date above will change accordingly, and material changes may be notified through the dashboard or by email.

14. Contact

For security questions, vulnerability reports, or any data-protection grievance, contact Vishal Khandelwal, Founder at hello@trykairos.in, or write to KairosAI Technologies Private Limited, Flat No. E-506, Pristine Allure, S.No. 20/2A, Vadgaon Sheri, Pune City, Pune – 411014, Maharashtra, India.