Security & Trust
We built the controls we'd want as customers ourselves. This page is updated as we ship; everything listed below is live in production today unless explicitly marked as roadmap.
Shipped today
Encryption at rest + in transit
All traffic is served over HTTPS (TLS 1.2+). OAuth tokens and other sensitive fields are encrypted at rest with Fernet (symmetric AES-128-CBC + HMAC-SHA256). The encryption key is rotated per deployment.
9-role brand-scoped RBAC
Every write is gated by a permission check against a 9-role hierarchy (root → super_admin → agency_admin → org_admin → brand_admin → brand_member → agency_member → creator → viewer). Brand-scoped writes require explicit grant; the engine refuses cross-tenant operations even when the caller has the role.
Append-only audit log
Every governance and tenant-modifying action is recorded to an append-only audit log with 11 governance columns (actor, role at time of action, tenant scope, before/after JSON, IP, user agent, request ID, etc.). A Postgres trigger rejects UPDATE/DELETE on the table; the application database role has REVOKE UPDATE/DELETE/TRUNCATE.
Sole-owner protection
Governance actions that could orphan a tenant (delete owner, demote sole admin, revoke last grant) are blocked at the API layer with an explicit error code so the operator can choose a successor first.
No-train AI policy
Customer content is never used to train AI models. Our LLM sub-processors (Anthropic, OpenAI, Google Gemini) each contractually exclude API traffic from training corpora. BYO-key customers swap the sub-processor for their own; we do not see traffic that flows through a BYO key.
Sudo-elevated governance
Transfer, lock, archive, and other high-blast-radius governance operations require a fresh password re-authentication (sudo mode) on top of the standard permission check. Sudo tokens expire in 15 minutes.
Tenant isolation
Every query that touches tenant-scoped tables is filtered by a centralized tenant_filter primitive at the service layer. There is no raw SQL that bypasses it. Job-status lookups, memory-vault reads, and credit-account reads are all enforced.
HIBP password screening
Every new password is checked against the Have I Been Pwned breached-password corpus using the k-anonymity API. We never send the password itself — only a SHA-1 hash prefix. Breached passwords are rejected.
On the roadmap
We'll update this with status changes; customers in the Enterprise tier receive monthly Trust Center updates including evidence packs.
| Item | Target | Status |
|---|---|---|
| SOC 2 Type I | Q3 2026 | Vanta program kicking off — assessment scoped, evidence collection in progress. |
| SOC 2 Type II | Q4 2026 → 2027 Q1 | Follows Type I observation period. Customers under DPA receive interim attestations. |
| SSO / SAML | Q3 2026 | OIDC + SAML 2.0 for Okta, Azure AD, Google Workspace. Available on the Enterprise tier. |
| MFA (TOTP) | Q3 2026 | Required for owner-tier roles; opt-in for everyone else. |
| GDPR Data Processing Agreement | Available today | Customer-signable DPA — request via the contact below. |
Reporting a security issue
Found something? We want to know. Email contact@kclub.me with the subject line “Security report” and a short description plus reproduction steps. We acknowledge within one business day and update you weekly until resolution. Responsible-disclosure researchers are credited in our public changelog (with permission).
For requests under the GDPR, CCPA, or any data-protection statute (export, deletion, do-not-sell), see Settings → Account & Security in-product, or email the same address.