← Back to home

Security & Trust

We built the controls we'd want as customers ourselves. This page is updated as we ship; everything listed below is live in production today unless explicitly marked as roadmap.

Shipped today

Encryption at rest + in transit

All traffic is served over HTTPS (TLS 1.2+). OAuth tokens and other sensitive fields are encrypted at rest with Fernet (symmetric AES-128-CBC + HMAC-SHA256). The encryption key is rotated per deployment.

9-role brand-scoped RBAC

Every write is gated by a permission check against a 9-role hierarchy (root → super_admin → agency_admin → org_admin → brand_admin → brand_member → agency_member → creator → viewer). Brand-scoped writes require explicit grant; the engine refuses cross-tenant operations even when the caller has the role.

Append-only audit log

Every governance and tenant-modifying action is recorded to an append-only audit log with 11 governance columns (actor, role at time of action, tenant scope, before/after JSON, IP, user agent, request ID, etc.). A Postgres trigger rejects UPDATE/DELETE on the table; the application database role has REVOKE UPDATE/DELETE/TRUNCATE.

Sole-owner protection

Governance actions that could orphan a tenant (delete owner, demote sole admin, revoke last grant) are blocked at the API layer with an explicit error code so the operator can choose a successor first.

No-train AI policy

Customer content is never used to train AI models. Our LLM sub-processors (Anthropic, OpenAI, Google Gemini) each contractually exclude API traffic from training corpora. BYO-key customers swap the sub-processor for their own; we do not see traffic that flows through a BYO key.

Sudo-elevated governance

Transfer, lock, archive, and other high-blast-radius governance operations require a fresh password re-authentication (sudo mode) on top of the standard permission check. Sudo tokens expire in 15 minutes.

Tenant isolation

Every query that touches tenant-scoped tables is filtered by a centralized tenant_filter primitive at the service layer. There is no raw SQL that bypasses it. Job-status lookups, memory-vault reads, and credit-account reads are all enforced.

HIBP password screening

Every new password is checked against the Have I Been Pwned breached-password corpus using the k-anonymity API. We never send the password itself — only a SHA-1 hash prefix. Breached passwords are rejected.

On the roadmap

We'll update this with status changes; customers in the Enterprise tier receive monthly Trust Center updates including evidence packs.

ItemTargetStatus
SOC 2 Type IQ3 2026Vanta program kicking off — assessment scoped, evidence collection in progress.
SOC 2 Type IIQ4 2026 → 2027 Q1Follows Type I observation period. Customers under DPA receive interim attestations.
SSO / SAMLQ3 2026OIDC + SAML 2.0 for Okta, Azure AD, Google Workspace. Available on the Enterprise tier.
MFA (TOTP)Q3 2026Required for owner-tier roles; opt-in for everyone else.
GDPR Data Processing AgreementAvailable todayCustomer-signable DPA — request via the contact below.

Reporting a security issue

Found something? We want to know. Email contact@kclub.me with the subject line “Security report” and a short description plus reproduction steps. We acknowledge within one business day and update you weekly until resolution. Responsible-disclosure researchers are credited in our public changelog (with permission).

For requests under the GDPR, CCPA, or any data-protection statute (export, deletion, do-not-sell), see Settings → Account & Security in-product, or email the same address.