Securitybuiltin,claimskepthonest
Kairoo protects your career and learning data with a layered security model, a transparent compliance posture, and performance targets we measure ourselves against — no overstated badges, just the practices behind them.
- TLS 1.3 + AES-256
- Defense in depth
- Data minimization
- Continuous monitoring
How we talk about compliance
We describe our posture as compliance-ready and in progress rather than overstating certifications. Where a framework is fully reflected in how we operate today, we say so; where it is on our roadmap, we say that too.
Performance targets
Fast is a feature — and a target
A secure product still has to feel instant. These are figures we design and monitor against — targets, not guarantees.
Defense in depth
A layered security model
Security is enforced at every layer — from the edge of the network, through the application, down to the data itself.
Network security
Traffic is filtered, encrypted, and rate-shaped before it ever reaches the app.
- Web application firewall with DDoS protection
- SSL / TLS 1.3 encryption in transit
- IP allow-listing for administrative access
Application security
Every request is authenticated, authorized, and scoped to least privilege.
- OAuth 2.0 + JWT authentication
- Role-based access control (RBAC)
- API rate limiting and abuse protection
Data security
Your data is encrypted at rest, minimized, and isolated by design.
- AES-256 encryption at rest
- PII anonymization and data minimization
- Secure key management (HSM-backed)
Practices
How we operate, day to day
The principles that shape every feature we ship.
Encryption everywhere
TLS 1.3 in transit and AES-256 at rest, so your data is protected on the wire and on disk.
Least-privilege access
Role-based access control and HSM-backed key management keep credentials and secrets tightly scoped.
Data minimization
We collect only what a feature needs and anonymize PII wherever the product allows.
Continuous monitoring
Application performance monitoring, metrics, log aggregation, and error tracking give us real-time visibility into the platform.
Compliance posture
Where we stand on the frameworks
Each framework below shows what it covers and exactly where Kairoo sits today — stated plainly.
SOC 2
Security, availability & confidentiality controls
Targeting SOC 2 Type II. Controls are being implemented and documented ahead of a formal third-party audit.
GDPR
EU/EEA personal data protection
Built to be GDPR-ready: data-subject access and deletion, lawful-basis handling, and EU data-processing practices.
HIPAA
Protected health information (where applicable)
HIPAA-ready architecture for healthcare use cases. A signed BAA and full safeguards are part of our enterprise roadmap.
ISO 27001
Information security management
Designing our information-security management system against ISO/IEC 27001 controls as we scale toward certification.
Working through a procurement or vendor-security review? Reach out and we'll share our current documentation and walk you through the controls behind each framework.
Speed & observability
The thresholds we hold ourselves to
A secure product still has to feel instant. These are the thresholds we design and monitor against. They are targets, not guarantees.
Speed targets
- < 1.2s
First Contentful Paint (FCP)
First content visible
- < 2.5s
Largest Contentful Paint (LCP)
Main content loaded
- < 3.8s
Time to Interactive (TTI)
Page fully responsive
- < 200ms
API response time
Typical request latency
- < 5s
AI processing time
Per AI-assisted action
Monitoring & observability
We watch these targets continuously so regressions surface fast and get fixed before they affect you.
- Application performance monitoring (APM)
- Metrics visualization & alerting
- Centralized log aggregation & search
- Real-time error tracking
Security questions, answered straight
Security questions before you commit?
Tell us about your requirements and we'll walk you through our controls, documentation, and roadmap.