Security Policy

Introduction

At Klime, security is fundamental to how we build and operate our platform. This Security Policy describes the measures we implement to protect your data and maintain the integrity of our Service. This policy should be read alongside our Privacy Policy and Terms of Service.

For security concerns or to report vulnerabilities, contact us at hello@klime.com.

Infrastructure Security

Cloud Infrastructure

Our infrastructure is hosted on industry-leading cloud providers with robust security certifications:

• Amazon Web Services (AWS) for event ingestion infrastructure, including CloudFront CDN, compute, and message queuing
• Neon for managed PostgreSQL database services
• Tinybird for analytics data processing
• Vercel for application hosting and edge delivery

All infrastructure providers maintain SOC 2 Type II compliance and follow industry-standard security practices.

Network Security

• All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
• API endpoints are served exclusively over HTTPS
• Edge networks (AWS CloudFront and Vercel) provide DDoS protection
• Event ingestion services run in private subnets with restricted network access

Data Security

Encryption

• Data in Transit: All data transmitted to and from our Service is encrypted using TLS 1.2+
• Data at Rest: Sensitive data including credentials and tokens is encrypted using AES-256
• Database Encryption: Our PostgreSQL databases use encryption at rest provided by our infrastructure providers
• Secrets Management: API keys, tokens, and credentials are stored encrypted and managed through secure secret stores

Tenant Isolation

Klime is a multi-tenant platform with strict data isolation:

• Each customer organization has a unique identifier used to scope all data access
• Database queries enforce tenant boundaries at the application and query level
• Analytics data is isolated per tenant through parameterized queries with tenant identifiers
• Cross-tenant data access is architecturally prevented

Credential Security

• Slack bot tokens are encrypted at rest using AES-256-GCM before storage
• API write keys are unique per organization and can be rotated at any time
• Session tokens are cryptographically generated and expire automatically

Authentication and Access Control

User Authentication

• Single Sign-On (SSO) via Slack for streamlined and secure access
• Session-based authentication with secure, HTTP-only cookies
• Automatic session expiration and renewal

Authorization

• Organization membership required for access to tenant data
• Membership verification enforced on all organization-scoped operations
• API endpoints validate both authentication and authorization before processing requests

API Security

• Write keys authenticate event ingestion requests
• Rate limiting protects against abuse and ensures fair usage
• CORS configuration restricts which origins can make requests
• Event ingestion requests are logged for security monitoring

Webhook Security

We implement robust security for incoming webhooks from third-party services:

• Signature Verification: All webhooks from Slack and Resend are cryptographically verified using provider-specific signing secrets
• Replay Protection: Webhook requests include timestamps and are rejected if stale, preventing replay attacks
• Idempotency: Webhook handlers are designed to safely handle duplicate deliveries

Application Security

Secure Development

• Code reviews required for all changes
• Automated dependency scanning and updates for known vulnerabilities
• Input validation and sanitization throughout the application
• Parameterized queries to prevent SQL injection
• Output encoding to prevent cross-site scripting (XSS)
• Session-based authentication with secure cookie attributes

Third-Party Integrations

We integrate with trusted third-party services. See our Privacy Policy for a complete list of providers and how data is shared with each. Key security measures for integrations:

• Anthropic: Data limited to what's necessary for responses; no raw customer PII; conversations isolated per customer
• Slack: OAuth 2.0 for authorization; bot tokens encrypted at rest; minimal permission scopes
• Stripe: Payment information handled entirely by Stripe; we do not store payment card data

Incident Response

Security Monitoring

• We monitor our systems for security events and anomalies
• Automated alerts for suspicious activity
• Regular review of access logs and security events

Incident Handling

In the event of a security incident:

• We will investigate and contain the incident promptly
• Affected customers will be notified in accordance with applicable laws and regulations
• We will provide updates on the incident and remediation steps
• Post-incident reviews are conducted to prevent recurrence

Business Continuity

• Infrastructure providers maintain their own backup and recovery procedures
• Service schemas and configurations are version-controlled

Team Security

• Multi-factor authentication required for all team services
• Password managers used for secure credential management
• Least-privilege access principles for all systems

Vulnerability Disclosure

If you discover a security vulnerability in our Service, please report it to hello@klime.com. We appreciate responsible disclosure and will:

• Acknowledge receipt of your report within 24 hours
• Provide an initial assessment within 72 hours
• Keep you informed of our progress

Please do not publicly disclose vulnerabilities until we have had an opportunity to address them. Note that we do not operate a bug bounty program and cannot offer monetary compensation for vulnerability reports.

Compliance

Data Protection

We process data in accordance with applicable data protection laws, including:

• General Data Protection Regulation (GDPR) for EU users
• California Consumer Privacy Act (CCPA) for California residents

See our Privacy Policy for details on data handling and your rights.

Your Responsibilities

While we implement robust security measures, security is a shared responsibility:

• Protect your account credentials and API keys
• Use strong, unique passwords
• Report any suspected unauthorized access immediately
• Ensure you have appropriate consent to send customer data to our Service
• Rotate API keys if you suspect they have been compromised

Contact

For security-related inquiries or to report a vulnerability: