Security Program

Kaiko's security program describes our procedures that help protect confidentiality, integrity and availability of data as it moves through the Kaiko stack.

Authentication and authorization

User account assignment. We assign individual user accounts to personnel who access Kaiko services.

User-level privileges. An authorized user is considered to be acting on behalf of the customer and we reserve the right to monitor and log all actions performed.

Application security

Secure software development. We provide training to Kaiko developers to help identify and prevent common software vulnerabilities, including the OWASP Top 10. Developer code undergoes peer review prior to deployment. Internal security engineers and third-party security validators periodically analyze code for software components with higher potential security risk.

Application security review. A third party assesses the security of the Kaiko’s APIs annually. We address findings from this assessment according to the risk they pose to the security of the Kaiko service.

Infrastructure security

Network security reviews. We perform vulnerability scans and third-party penetration tests on the Kaiko services. We review and address findings from these activities to help maintain the security of our network.

Vulnerability and patch management. To maintain awareness of potential security vulnerabilities, Kaiko monitors public and private distribution lists. We validate and implement security patches for critical vulnerabilities For non-critical vulnerabilities and updates, we schedule and deploy vendor-provided patches on a regular basis.

Bounty program. Vulnerabilities discovered by third parties are acknowledged and as long as the Responsible disclosure principle is followed Kaiko reserves the right to select a sum to reward the third party for the reported vulnerability.


Secure data transmission. Connections that transport data outside our infrastructure are encrypted.

Encryption key management. We maintain technology and procedures to secure private keys throughout their lifecycle.

Key storage and access security. We store private keys in encrypted repositories, and we restrict key storage access to personnel who support our key management processes.

Business continuity and operational resilience

Service monitoring. We monitor multiple internal and external reporting channels to detect service-related issues.

Communication and reporting. We update impacted customers using various communication methods depending on an incident's scope and severity.

Security incident management

Incident response plan. We maintain a formal incident response plan with established roles and responsibilities, communication protocols, and response procedures. We review and update this plan periodically to adapt it to evolving threats and risks to our platform.

Incident response team. Members of the Technology department help address security-related incidents we discover. These personnel coordinate the investigation and resolution of incidents, as well as communication with external contacts as needed.

Breach notification. Kaiko will notify affected customers within 48 hours of validating an unauthorized disclosure of customer confidential information.

Logging and monitoring

Log analysis. We aggregate and securely store Kaiko internal system activity. Monitoring these logs helps us discover and investigate potential security issues.

Change and configuration monitoring. We use monitoring and alert mechanisms to enhance the visibility of technology changes and help ensure adherence to our change management process.

Intrusion detection. We maintain mechanisms to detect potential intrusions at the network and host level. Our Operations department inspects and responds to events these detection measures discover.

Customer and end user data management

Data configurations. We may directly access or modify customer related data to provide our services, prevent or address service or technical issues, as required by law, or as customers expressly permit. For the same reasons, we may also access or modify equipment, systems, or services that manage customer data.

User IP addresses. Kaiko independently collects the IP addresses of users who access our services. We may retain IP addresses from event logs or configurations indefinitely.

IP addresses and security monitoring. Kaiko may retain indefinitely any non-anonymized, non-aggregated user IP addresses associated with suspicious activity that may pose a risk to the Kaiko  network or our customers, or that are associated with administrative connections.

Request data.. We retain and use data about the operation and reliability of our processing of requests to monitor, maintain, and improve our services, our business operations, and our security and compliance programs. Subject to confidentiality obligations to our customers, we only disclose this data in anonymized and aggregated form.

Cloud infrastructure security and compliance program

The use of third-party cloud infrastructure to host Kaiko products that deliver data or process requests requires us to address certain aspects of our security and technology compliance programs differently from when Kaiko directly manages the infrastructure.

Data center and physical security. For cloud infrastructure we use, Kaiko relies on data center space under the control of the cloud infrastructure providers. These providers may have physical access to assets that contain data from Kaiko services. As part of our third-party security review process, we confirm that these providers maintain appropriate physical security measures to protect their data center facilities.

Business continuity and operational resilience. We deploy cloud-hosted products in multiple infrastructure regions or zones to help maintain those services when operational issues occur. If failure of a service occurs within a single availability zone, Kaiko will automatically attempt to use cloud nodes in another zone.

Encryption. Kaiko leverages in-transit and at-rest encryption to help secure data sent in to and out from cloud infrastructure providers or to secure data that resides on cloud infrastructure. Because we use at-rest encryption features offered by infrastructure providers, those providers may also hold the private encryption keys. As part of our third-party security review process, we confirm that these providers maintain secure encryption key management processes.

Cloud infrastructure. We defer to the security programs of our provider AWS.