Back to Home
Security

Security Policy

Last updated: February 12, 2026

At KAIKI, security is at the core of everything we do. As a company building security tools for developers, we hold ourselves to the highest standards. This page outlines our security practices and how we protect your data.

Encryption in Transit

All data is encrypted using TLS 1.3 during transmission between your browser and our servers.

No Code Storage

Source code is processed in real-time and never permanently stored on our infrastructure.

SOC2 Ready

Our infrastructure and practices are designed to meet SOC2 Type II compliance standards.

Secure Authentication

We use GitHub OAuth 2.0 with minimal permission scopes. We never see or store your password.

1. Data Handling

1.1 Source Code Processing

When you initiate a scan, KAIKI fetches your repository contents via the GitHub API, processes them through our AI analysis pipeline, and returns the results. Your source code is never stored on disk. Processing occurs in-memory, and all code data is purged after the scan completes.

1.2 Scan Results

Scan results (detected secret types, file names, line numbers, severity levels, and remediation suggestions) are stored securely and associated with your account for dashboard access. Results do not contain the actual secret values themselves — only their locations and types.

1.3 Authentication Tokens

GitHub OAuth tokens are stored encrypted and are only used to access repositories on your behalf. Tokens are revoked immediately upon account deletion.

2. Infrastructure Security

  • Application hosted on Vercel with enterprise-grade security, DDoS protection, and automatic SSL
  • AI inference via KAIKI Alpha with secure API communication
  • All API endpoints require authentication and are rate-limited
  • Regular dependency audits and vulnerability scanning of our own codebase
  • Environment variables and secrets managed through secure secret management systems

3. Access Controls

Access to production systems is restricted to authorized personnel only. We implement the principle of least privilege — team members only have access to the systems and data necessary for their role. All access is logged and audited.

4. Incident Response

In the event of a security incident, we will investigate promptly, mitigate the impact, and notify affected users within 72 hours. We maintain an incident response plan that includes identification, containment, eradication, recovery, and lessons-learned phases.

5. Responsible Disclosure

We welcome responsible security researchers to help us improve the security of KAIKI. If you discover a vulnerability, please report it to us:

Email: [email protected]

Subject line: [SECURITY] Vulnerability Report

We ask that you give us reasonable time to investigate and address the issue before disclosing it publicly. We will acknowledge your report within 48 hours and provide regular updates on our progress.

6. Compliance

Our security practices are designed to align with SOC2 Type II requirements and industry best practices. We are actively working toward formal compliance certifications as we scale. Our data handling practices comply with GDPR and CCPA requirements.

7. Questions

If you have questions or concerns about our security practices, please contact us at [email protected].