Security Policy

Protecting customer data and platform integrity is core to Kellexa. We implement industry-standard controls aligned with SOC 2-style practices (certification roadmap — update when achieved) and continuously improve our security posture.

• Encryption in transit (TLS 1.2+) for all public endpoints.
• Encryption at rest for sensitive credentials (OAuth tokens, API keys) using industry-standard algorithms.
• Role-based access control and least-privilege for production systems.
• Network segmentation, firewalls, and DDoS mitigation via cloud providers.
• Secrets management — no plaintext secrets in source code repositories.
• Logging and monitoring for security events and anomaly detection.
• Regular dependency updates and vulnerability scanning.
• Employee security training and background checks where appropriate.
• Incident response procedures with customer notification for material breaches as required by law.

Personal data processing is described in our Privacy Policy. Workflow media is stored in object storage with access controls. Run logs in PostgreSQL retain execution metadata per retention policies. Backups are encrypted and tested periodically.

• Use strong, unique passwords and enable available MFA when offered.
• Protect API keys and webhook secrets; rotate if compromised.
• Review connected integrations and revoke unused platform access.
• Configure workflows to avoid exposing secrets in logs or public webhooks.
• Report suspicious activity promptly.

We welcome good-faith security reports. Email info@kellexa.com with a description, steps to reproduce, and impact assessment. Do not access data you do not own, perform destructive testing, or publicly disclose issues before we have had reasonable time to remediate (typically 90 days). We do not currently offer a paid bug bounty program but may acknowledge researchers with permission.

If you believe your Kellexa account or data has been compromised, contact info@kellexa.com immediately. We will investigate and notify affected users and regulators as required.

We use reputable cloud and SaaS providers for hosting, storage, payments, and communications. A sub-processor list is available to enterprise customers under NDA or via info@kellexa.com.