Security Policy

Last Updated: June 2026

kaimon is a security product. We hold ourselves to the same standard we help our customers meet. This document describes the controls we have in place across our infrastructure, data handling, and operational practices.

1. Encryption

• In transit: All data transmitted between the kaimon agent, API, and portal is encrypted using TLS 1.2+. HTTP is not supported.
• At rest: All data stored in cloud object storage (Parquet event files, reports, agent tokens) is encrypted using AES-256.
• Agent tokens: Enrollment tokens are generated per-tenant, stored encrypted, and can be revoked instantly from the portal. Tokens are never logged in plaintext.

2. Infrastructure

kaimon runs entirely on a managed cloud platform hosted in the United States. We use the following controls:

• Audit logging: All API calls, storage access, and compute invocations are logged and retained for audit purposes.
• Access control: Service roles follow the least-privilege principle. No long-lived credentials exist in production. Secrets are managed via a dedicated secrets management service.
• Network isolation: All compute runs inside an isolated virtual network. Agent communication uses HTTPS on port 443 only. No inbound ports are exposed on compute resources.
• Data lifecycle: Object storage lifecycle policies enforce retention limits and automatic deletion. Data is partitioned and isolated per tenant — no cross-tenant data access is possible at any layer.

3. The eBPF Agent

The kaimon agent runs as an eBPF program inside the Linux kernel sandbox. eBPF programs are verified by the kernel's built-in verifier before execution — they cannot crash the kernel, access arbitrary memory, or perform operations outside their declared scope.

• The agent reads filesystem events (open, write, rename, delete, chmod) — it does not modify files, block operations, or intercept network traffic.
• All event data is buffered locally and shipped over HTTPS. No data is stored on disk beyond the ring buffer.
• The agent binary is statically compiled, signed, and distributed via the kaimon portal with a per-tenant enrollment token. It does not execute arbitrary code from the network.
• Minimum kernel requirement: Linux 5.14+ with BTF enabled.

4. Access & Authentication

• Customer authentication is delegated to a third-party identity provider, which provides social login (GitHub, Google) and email/password with MFA support.
• Role-based access control (RBAC) is enforced at the API layer — team members can be granted Member or Admin roles; all actions are scoped to the authenticated tenant.
• Billing is processed by a PCI-compliant third-party payment provider. kaimon never stores raw card data.
• Internal access to production infrastructure requires MFA and is restricted to named service identities with time-limited sessions.

5. Data Handling & Retention

• What we collect: File system events (path, event type, timestamp, user, process) from the hosts where you install the agent. We do not collect file contents.
• Data residency: All data is stored in the United States. No data is replicated outside this region.
• Retention: Event data is retained for the duration of your active subscription. Trial data is deleted 30 days after trial expiry. You can request deletion at any time by emailing hello@kaimon.co.
• Sub-processors: A cloud infrastructure provider (compute, storage, networking), a third-party identity provider (authentication), a PCI-compliant payment processor (billing), and a cloud AI service (AI executive summaries — your data is not used for model training).

6. Compliance Status

kaimon is currently pre-certification. Our SOC 2 Type I audit is planned after our first production customers. In the meantime, the controls described in this document are in place. For security questionnaires or vendor risk assessments, email hello@kaimon.co and we will respond within 2 business days.

7. Responsible Disclosure

If you believe you have found a security vulnerability in kaimon, please report it privately to security@kaimon.co. We will acknowledge receipt within 24 hours and aim to resolve critical issues within 7 days. We ask that you do not publicly disclose the issue until we have had the opportunity to address it. We do not currently operate a bug bounty program, but we will credit researchers in our release notes when requested.

8. Contact

Security questions and vendor assessments: hello@kaimon.co
Vulnerability reports: security@kaimon.co