Security & Compliance
Learn how Kayse AI keeps your data safe and helps you follow the rules. 🔒
🌟 Overview
Kayse AI is built with security baked in from the start. We use industry-standard practices to protect your data and help you stay in line with regulations.
🔐 Data Security
Encryption
| Layer | Protection |
|---|
| In Transit | All data is scrambled using TLS 1.2+ while it travels |
| At Rest | Stored data is locked with AES-256 encryption |
| Backups | Backups are encrypted with secure key management |
| API | All API calls must use HTTPS |
🏗️ Infrastructure Security
| Measure | Description |
|---|
| Cloud Hosting | Runs on top-tier cloud servers |
| Network Isolation | Private networks keep customer data separate |
| Firewalls | Web firewalls block attacks |
| DDoS Protection | Protection against overload attacks |
| Redundancy | Multiple data centers for reliability |
🏢 Data Centers
- SOC 2 Type II certified buildings
- 24/7 security guards
- Fingerprint access controls
- Climate monitoring and controls
🚪 Access Control
Authentication
| Feature | Description |
|---|
| Password Requirements | Minimum length and complexity rules |
| Two-Factor Authentication | Optional 2FA for all users |
| Session Management | Sessions expire after inactivity |
| Single Sign-On | SSO is available if you need it |
Authorization
| Feature | Description |
|---|
| Role-Based Access | Each role gets specific permissions |
| Least Privilege | People only get the access they need |
| Company Isolation | Data is completely separate between companies |
| API Key Scopes | API keys can be limited to specific tasks |
👥 User Roles
| Role | Access Level |
|---|
| Super Admin | Full access, including billing and security settings |
| Admin | Full feature access, but can't change security settings |
| User | Can only access assigned cases and basic features |
| Client | Portal access only — can see their own data |
📝 Audit Logging
What Gets Logged
Every important action is recorded:
| Category | Examples |
|---|
| Authentication | Logins, logouts, failed attempts, 2FA events |
| Data Access | Viewing records, searching, exporting |
| Data Changes | Creating, updating, deleting records |
| Settings | Changing settings, managing users |
| API Activity | API calls with times and results |
| Communications | Messages sent, calls made |
📅 Log Retention
| Plan | Retention Period |
|---|
| Standard | 90 days |
| Professional | 1 year |
| Enterprise | Up to 7 years (you choose) |
Accessing Logs
- Go to Settings → System Log
- Filter by date, person, or activity type
- Export for your records
🏥 HIPAA Compliance
For organizations that handle health info (PHI):
HIPAA Features
| Feature | Description |
|---|
| BAA Available | Business Associate Agreement for covered groups |
| PHI Encryption | Extra encryption for health information |
| Access Logging | Detailed records of who looked at health info |
| Minimum Necessary | Role-based access limits who sees what |
| Breach Notification | Steps to follow if there's a security issue |
Turning On HIPAA Mode
- Go to Settings → Company → Compliance
- Turn on HIPAA Compliance Mode
- Review and accept the extra terms
- Extra security controls turn on automatically
HIPAA Best Practices
- Turn on 2FA for everyone
- Use role-based access control
- Review audit logs regularly
- Train your team on HIPAA rules
- Keep health info out of custom fields and notes when possible
🔏 Data Privacy
Data Ownership
- Your data belongs to you
- We never sell your data to anyone
- We only use your data to run the service
Data Processing
| Aspect | Practice |
|---|
| Location | Data is processed in the United States |
| Subprocessors | Only a few trusted partners help us |
| Purpose | Data is only used to provide the service |
⏳ Data Retention
| Data Type | Retention |
|---|
| Account Data | Kept while your account is active, plus 30 days |
| Communications | You choose how long to keep them |
| Call Recordings | You choose (90 days by default) |
| Audit Logs | Based on your plan (90 days – 7 years) |
🗑️ Data Deletion
When you delete data:
- It's hidden right away (soft delete)
- Permanently erased within 30 days (hard delete)
- Removed from backups within 90 days
📤 Data Export
You can download your data anytime:
- Full data export available
- Standard formats (CSV, JSON)
- No vendor lock-in — your data goes where you go
📜 Compliance Certifications
Current Certifications
| Certification | Status |
|---|
| SOC 2 Type II | Certified ✅ |
| HIPAA | Compliant (with BAA) ✅ |
| GDPR | Compliant ✅ |
| CCPA | Compliant ✅ |
Compliance Reports
Request compliance documents:
- SOC 2 reports (under NDA)
- Security questionnaire answers
- Penetration test summaries
Contact security@kayse.ai for compliance questions.
🛡️ Application Security
Secure Development
| Practice | Description |
|---|
| Code Review | All code is reviewed before it goes live |
| Security Testing | Regular security checks |
| Dependency Scanning | Automatic scans for known problems |
| Penetration Testing | Yearly outside security tests |
Vulnerability Management
| Process | Description |
|---|
| Monitoring | Always watching for new issues |
| Patching | Critical fixes go out within 24–48 hours |
| Disclosure | Responsible disclosure program |
- Content Security Policy (CSP)
- HTTP Strict Transport Security (HSTS)
- X-Frame-Options
- X-Content-Type-Options
📡 Communication Security
🎙️ Call Recording Security
| Measure | Description |
|---|
| Encryption | Recordings are encrypted when stored |
| Access Control | Only people with the right role can listen |
| Retention | You set how long to keep them |
| Deletion | Securely deleted when time is up |
💬 Message Security
| Channel | Security |
|---|
| SMS | Sent through carrier-grade delivery |
| Email | Encrypted with TLS while sending |
| Chat | End-to-end encrypted |
🚨 Incident Response
Security Incident Process
- Detection — Automated tools spot the problem
- Assessment — We figure out how serious it is
- Containment — We stop it from getting worse
- Notification — We tell you within 72 hours
- Remediation — We find the root cause and fix it
- Review — We learn from it and improve
Reporting Security Issues
Found a security problem? Email: security@kayse.ai
We respond to security reports within 24 hours.
🔄 Business Continuity
Availability
| Metric | Target |
|---|
| Uptime | 99.9% available |
| RTO | Back up and running within 4 hours |
| RPO | No more than 1 hour of data lost |
🌐 Disaster Recovery
- Automatic switch to backup servers if something goes wrong
- Regular disaster recovery testing
- Clear step-by-step recovery plans
💾 Backups
| Type | Frequency |
|---|
| Database | Constantly copying data in real time |
| Full Backup | Once a day |
| Backup Testing | Tested every month to make sure they work |
✅ Security Best Practices
For Administrators
- Turn on 2FA for all users
- Use strong, unique passwords
- Review who has access every few months
- Check audit logs for anything weird
- Keep API keys secure
- Change API keys from time to time
- Set reasonable session timeouts
For Users
- Turn on two-factor authentication
- Don't share your login info
- Lock your screen when you walk away
- Report anything suspicious
- Use secure networks
- Keep your devices updated
For API Users
- Never put API keys directly in your code
- Use environment variables for keys
- Handle errors properly
- Watch your API usage for anything strange
- Use IP allowlisting when you can
⚙️ Security Settings
Options You Can Change
| Setting | Location |
|---|
| 2FA Enforcement | Settings → Security |
| Session Timeout | Settings → Security |
| IP Allowlisting | Settings → API |
| Password Policy | Settings → Security |
| Audit Log Retention | Settings → Data Retention |
Security Team
Compliance Inquiries
📅 Updates
This security page is reviewed and updated every few months. Last updated: February 2026.