Compliance & Security Disclosures

LAST AUDITED: MAY 2026 ยท SECURITY CONTROLS ACTIVE

KAIROS Signal is committed to maintaining the highest security, privacy, and regulatory compliance standards. This dashboard provides live transparency into our infrastructure audits, operational controls, and user privacy procedures.

1. SOC 2 Type II Audits & Controls

We undergo annual independent third-party SOC 2 Type II audits covering the Security, Availability, and Confidentiality trust service criteria. Our continuous compliance logging is linked directly to AWS Security Hub and Vanta monitoring agents.

2. Production Access Policy (MFA & SSH)

To eliminate identity hijacking and configuration drift, we enforce strict boundary constraints on our systems:

  • AWS Systems Manager (SSM): Direct SSH port exposure is disabled. Administrative sessions are routed through AWS SSM using hardware-backed MFA keys.
  • Key-Based IPMI Access: Bare-metal infrastructure at Equinix metal and local colocation centers is managed via cryptographic key exchange over private VPNs.
  • MFA Enforcement: All developer accounts, code repository check-ins, and production database consoles require WebAuthn/FIDO2 hardware keys (YubiKey).

3. IAM & Password Policy

Production IAM policies adhere strictly to the Principle of Least Privilege (PoLP). All IAM credentials, database accounts, and access keys are rotated automatically every 90 days. User account credentials stored locally use one-way SHA-256 salted hashes, protected by hardware security modules (HSM) on AWS KMS.

4. Data Privacy, TCPA, and GDPR Consent

We comply fully with state and federal privacy mandates, including California Consumer Privacy Act (CCPA), Telephone Consumer Protection Act (TCPA), and European Union GDPR regulations:

  • TCPA Verification: Consumer consent is gathered through opt-in forms certified by independent software trackers (such as Leadid / TrustedForm), ensuring records are only shared with user confirmation.
  • Data Minimization: Customer records are retained only for the duration required to complete data routing. PII is scrubbed or encrypted at rest using AES-256 GCM.
  • Data Erasure Rights: Consumers can request full record deletion or view held details by emailing our compliance officer at [email protected].