Trust

Trust is operational, not aspirational.

Kairos runs supply chain operations for real companies.

The platform handles freight, customer data, financial information, and the messages that move between them. We treat the security, privacy, and reliability of that work as a product surface — not a marketing surface — and the pages linked here describe how we run it.

Security architecture

Built in, not bolted on.

Tenant isolation

Every record in Kairos carries a tenantId. Reads, writes, and AI retrieval are scoped by tenant at the data layer. Cross-tenant access is structurally prevented, not policy-prevented.

Encryption in transit

All connections to Kairos use TLS 1.2 or higher. HSTS is enforced on app.elyonsci.ai and elyonsci.ai.

Encryption at rest

Customer data is stored in Google Cloud Firestore and AWS, both of which apply AES-256 encryption at rest by default. Application secrets are stored in managed secret stores; no credentials are committed to source.

Identity and access

Customer access uses Firebase Authentication with role-based access controls. Internal access is least-privilege, MFA-enforced, and reviewed on a documented cadence.

Soft delete

Records are never hard-deleted from production. Deletions are logged with timestamp and actor, and recoverable for the contracted retention window.

Audit logs

Material actions — record creation, modification, deletion, exports, configuration changes — are recorded in append-only audit trails scoped per tenant.

Compliance posture

We publish what is true, not what is convenient.

SOC 2
SOC 2 Type I is in active progress with [CONFIRM AUDITOR NAME], targeting [CONFIRM TYPE I COMPLETION DATE]. Type II observation window will begin upon Type I issuance. We do not currently claim a SOC 2 attestation; we will publish it here when issued.
GDPR
Kairos is designed to support customers subject to the EU and UK General Data Protection Regulations. Our Data Processing Addendum is available for execution and incorporates the European Commission Standard Contractual Clauses for international transfers.
CCPA / CPRA
Kairos supports California Consumer Privacy Act and Privacy Rights Act obligations applicable to service providers. We do not sell personal information.
HIPAA
Kairos is not currently a HIPAA-covered platform. Customers should not upload Protected Health Information without a signed BAA, which is not currently offered.
PCI DSS
Kairos does not process, store, or transmit cardholder data. Payment workflows are handled by certified third-party processors outside the Kairos data plane.
Operational practices

How we run the platform.

Change management

All production changes flow through pull requests with required code review, automated security scanning (GitHub Advanced Security: CodeQL, Secret Scanning, Push Protection, Dependabot), and protected-branch deployment gates.

Vulnerability management

Dependencies are continuously scanned. High and critical severity vulnerabilities are triaged within one business day. Patch SLAs are documented in our internal vulnerability management policy and surfaced to enterprise customers under NDA.

Incident response

We maintain a documented incident response plan with defined severity levels, on-call rotation, and customer notification thresholds. Material incidents affecting customer data are communicated to affected customers without undue delay and within the timelines required by applicable law and contract.

Business continuity

Customer data is replicated across multiple availability zones via Firestore and AWS. Recovery objectives are documented and tested. Customers under NDA may request our current RTO/RPO targets.

Vendor management

Sub-processors are reviewed before onboarding and tracked on a published list. See /sub-processors.

Personnel security

Background checks are performed on all personnel with production access. Security training is delivered at onboarding and refreshed annually. Access is revoked the same day employment ends.

AI governance

AI as a first-class system, not an unbounded capability.

Kairos is an AI-native platform. AI is governed as a first-class system, not an unbounded capability:

Data residency in AI calls
AI retrieval is tenant-scoped at the data layer. Models do not see data outside the requesting tenant.
Grounded generation
AI drafts are produced from retrieved facts, not from model memory. Every AI-generated artifact records its data sources and a confidence score, and surfaces missing-data warnings when confidence falls below threshold.
Model provider terms
Our primary model provider (Anthropic) and our fallback provider (OpenAI) do not train on customer API data under the terms we operate under. See /sub-processors for details.
Human-in-the-loop
Material AI-assisted actions surface to a human approver. Autonomous-execution language is avoided; agents propose, operators approve.
Customer rights

Your data is yours.

Customer data belongs to the customer. We process it on the customer's behalf under the terms of the Master Services Agreement and Data Processing Addendum.

Export
Customers can export their tenant data in standard formats at any time during the subscription, and on termination for a contracted period.
Deletion
On contract termination, customer data is deleted from production within [CONFIRM RETENTION WINDOW — 30/60/90 DAYS] and from backups on the next backup-cycle expiry.
Contact
Security

Security questions and vulnerability reports — security@elyonsci.ai

Privacy & DSAR

Privacy and data subject requests — support@elyonsci.ai

Compliance docs

Compliance documentation requests (enterprise customers and prospects under NDA) — support@elyonsci.ai

Diligence under NDA.

Enterprise prospects: request the security questionnaire, current sub-processor list, and SOC 2 progress letter via support@. Material vulnerabilities go to security@ under our coordinated disclosure policy.

Email supportResponsible disclosure