KitZ Security
Trust & Security
Last updated: May 2026
1. Security Certifications
KitZ is actively pursuing industry-recognized security certifications to validate our controls and processes.
| Certification | Status |
|---|---|
| SOC 2 Type II | In progress |
| ISO 27001 | Planned |
2. Data Protection
Your data is protected at rest and in transit through multiple layers of security:
- Tenant isolation: Each workspace operates within an isolated database scope. Postgres Row-Level Security (RLS) policies ensure that one tenant's data is never accessible to another.
- Encryption: Data at rest is encrypted via AES-256. Data in transit is protected by TLS 1.3 on all connections.
- RLS enforced: Every database query runs inside a tenant-scoped transaction using SET LOCAL. No query can escape tenant boundaries.
3. AI Safety
KitZ implements multi-layered defenses against AI risks, aligned with the OWASP LLM Top 10:
- Prompt injection defense: untrusted content is delimited and the system prompt explicitly instructs agents to ignore it.
- Per-agent tool scoping: each AI agent can only access tools authorized for its role.
- Output sanitization: all LLM outputs are sanitized with DOMPurify before rendering.
- Quota enforcement: per-tenant limits prevent abuse and control costs.
For full OWASP LLM Top 10 compliance details, see our security documentation.
4. Subprocessors
KitZ uses the following third-party providers to operate the platform:
| Provider | Purpose | Location |
|---|---|---|
| Anthropic | AI engine (chat, agents, brain pipeline) | US |
| Supabase | Database (Postgres), authentication, storage | US-East |
| Vercel | Web hosting, CDN, serverless functions | Global CDN |
| Resend | Transactional email (OTP, notifications) | US |
| Railway | Workers (ai-runtime, wa-worker) | US-West |
5. Data Residency
Your primary data resides in the following regions:
- Database: US-East (Supabase, AWS us-east-1)
- CDN and static assets: Global CDN (Vercel Edge Network)
6. Security Headers
All endpoints serve security headers aligned with SOC 2 and OWASP best practices:
| Header | Value |
|---|---|
| Content-Security-Policy | Nonce-based, default-src self, frame-src none, object-src none |
| Strict-Transport-Security | max-age=63072000; includeSubDomains; preload |
| X-Content-Type-Options | nosniff |
| X-Frame-Options | DENY |
| Referrer-Policy | strict-origin-when-cross-origin |
| Permissions-Policy | camera=(), microphone=(), geolocation=() |
7. Audit Trail
Every action in the workspace is logged with timestamp, user, and tenant ID for full compliance:
- Login/logout, password changes, and OTP usage are logged per user.
- Every AI tool invocation is logged with agent, tool, and cost.
- Workspace invitations, role changes, and tenant data updates are immutably logged.
8. Contact
For security questions, vulnerability disclosure, or data requests, contact us at security@kitz.services.