Skip to main content

Last Updated: April 1, 2026

Security Practices

At Kamili Labs, we take the security of your data seriously. This page describes the security measures we implement to protect your information in Kamili Help Desk.

1. Encryption

In Transit

All data transmitted between your browser and Kamili Help Desk is encrypted using TLS 1.3. This applies to all API calls, WebSocket connections, widget communications, and email transmissions.

At Rest

Database backups are encrypted using AES-256. Sensitive fields (API keys, webhook secrets, customer PII) are encrypted at the application level before storage.

2. Authentication Security

  • Password Hashing: Passwords are hashed using bcrypt with a cost factor of 12. We never store plaintext passwords.
  • JWT Tokens: Authentication tokens are RS256-signed JWTs issued by Kamili Account Central. Tokens have short expiry times with automatic refresh.
  • Two-Factor Authentication: Available for all users, with TOTP-based 2FA via authenticator apps.
  • SSO/SAML: Enterprise customers can enforce Single Sign-On via SAML 2.0.
  • API Keys: Scoped, rotatable API keys with instant revocation capabilities.

3. Infrastructure Security

  • Hosting: Frontend hosted on Vercel with global CDN. Backend on Railway/Fly.io with multi-region support.
  • Database: PostgreSQL on Supabase with automated backups, point-in-time recovery, and row-level security.
  • Network: All services communicate over private networks with firewall rules restricting inbound access.
  • Access Control: Production infrastructure access is restricted to authorized personnel with multi-factor authentication.
  • Monitoring: Real-time monitoring via Sentry (errors) and Datadog (performance, uptime).

4. Data Isolation

Kamili Help Desk is a multi-tenant platform with strict data isolation:

  • Row-level security ensures each organization can only access its own data.
  • All database queries are automatically scoped to the organization context.
  • Enterprise customers can request regional data residency (US, EU, Asia-Pacific).

5. Incident Response

Kamili Labs maintains an incident response plan with the following process:

  • Detection: Automated alerts for unusual activity, failed authentications, and system anomalies.
  • Assessment: Security team evaluates severity (SEV-0 through SEV-3).
  • Containment: Immediate steps to contain the incident and prevent further impact.
  • Notification: Affected customers are notified within 72 hours of a confirmed breach, in compliance with GDPR.
  • Remediation: Root cause analysis and implementation of preventive measures.

6. SOC 2 Type II Readiness

Kamili Help Desk is designed with SOC 2 Type II compliance in mind. Our controls cover:

  • Security: Access controls, encryption, vulnerability management
  • Availability: Uptime monitoring, redundancy, disaster recovery
  • Processing Integrity: Data validation, error handling, audit trails
  • Confidentiality: Data classification, access restrictions, secure disposal
  • Privacy: Consent management, data minimization, rights fulfillment

7. Responsible Disclosure

We welcome responsible security researchers. If you discover a security vulnerability, please report it to security@kamililabsllc.com. We commit to:

  • Acknowledging your report within 48 hours
  • Providing regular updates on the remediation status
  • Not pursuing legal action against researchers who follow responsible disclosure guidelines