Skip to main content
Kamili One

Last Updated: April 1, 2026

Security Practices

1. Encryption

We use industry-standard encryption to protect your data:

  • In Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (HTTPS). We enforce HSTS headers.
  • At Rest: All data stored in our databases and file storage is encrypted using AES-256 encryption.
  • Backups: Database backups are encrypted and stored in geo-redundant Azure storage.

2. Authentication Security

Kamili One uses the central Kamili authentication system, which provides:

  • Password Hashing: Passwords are hashed using bcrypt with a minimum work factor of 12.
  • JWT Tokens: Stateless authentication with short-lived access tokens (1 hour) and secure refresh token rotation.
  • Two-Factor Authentication: Optional TOTP-based 2FA for all accounts.
  • OAuth 2.0: Google, Microsoft, and Apple sign-in via industry-standard OAuth 2.0 + OIDC.
  • Session Management: Secure HTTP-only cookies with SameSite=Strict attribute.
  • Rate Limiting: Login attempts are rate-limited to prevent brute-force attacks.

3. Infrastructure Security

Our infrastructure is hosted on Microsoft Azure with the following security measures:

  • Cloud Hosting: Azure data centers with SOC 2, ISO 27001, and GDPR compliance certifications.
  • Network Security: Virtual network isolation, firewall rules, and DDoS protection.
  • Access Controls: Role-based access control for all infrastructure resources. Principle of least privilege enforced.
  • Monitoring: Azure Application Insights for real-time monitoring and anomaly detection.
  • Dependency Scanning: Automated vulnerability scanning of all dependencies in CI/CD pipeline.
  • Backups: Automated database backups with 1-hour RPO (Recovery Point Objective) and 4-hour RTO (Recovery Time Objective).

4. Incident Response

We maintain a documented incident response procedure:

  • SEV-0 (Critical): Full system outage or data breach — 15-minute response, all-hands-on-deck.
  • SEV-1 (High): Major feature degradation — 1-hour response, on-call engineer.
  • SEV-2 (Medium): Minor feature issues — 4-hour response, next business day.
  • SEV-3 (Low): Cosmetic or minor issues — tracked and addressed in regular sprints.

In the event of a data breach, affected users will be notified within 72 hours as required by GDPR.

5. Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

  • Email: security@kamililabsllc.com
  • Include a detailed description of the vulnerability and steps to reproduce
  • We will acknowledge receipt within 24 hours
  • We will work with you to understand and resolve the issue
  • We ask that you do not publicly disclose the vulnerability until we have addressed it
Security Practices | Kamili One