Security

Last updated: October 11, 2025

Certifications & Third-Party Assessments

  • Independent reviews. Annual third-party penetration testing and reviews after major releases. Executive summaries available under NDA.
  • Controls & posture. Controls aligned to SOC-style domains (access, change, vulnerability management, incident response). For documentation, contact support@kolbyai.com.

Infrastructure Security

We operate on reputable cloud infrastructure with least-privilege access, MFA-enforced admin accounts, network segmentation, and audit logging.

  • Transport security. TLS 1.2+ for data in transit; HSTS enforced on web endpoints.
  • Secrets management. Encrypted via cloud KMS; access is RBAC and audited.
  • Backups. Encrypted, point-in-time restore testing on a recurring schedule.
  • Data locality. Regions selected to support performance and compliance needs.

Client Security

  • Authentication. Strong password minimums; MFA for admins; SSO/SAML available for Enterprise.
  • Role-based access. Workspace-scoped permissions and data isolation.
  • Data minimization. We process only what’s required to deliver requested features.

AI Requests

To power real-time coaching and post-call analytics, Kolby may send derived inputs (e.g., transcript text, structured call metadata) to our inference layer and selected model providers. Requests are transmitted over TLS. We log minimal request metadata for reliability and abuse prevention; raw call audio is not logged in analytics tools.

  • Inference-only. By default, providers are not permitted to train on your data.
  • Provider controls. Requests are flagged no-training / zero-retention where supported.
  • PII care. Access controls and retention limits apply to any personal data processed.

Sensitive Data Redaction

Kolby uses automated data masking and real-time redaction filtering to prevent sensitive information from being transcribed, displayed, or stored. This includes (but isn’t limited to):

  • Payment card numbers (PANs), CVV/CVC, expiration dates
  • Social Security numbers and similar national IDs
  • Dates of birth and other high-risk identifiers

When detected, sensitive tokens are replaced with masked placeholders (e.g., **** **** **** 1234) or dropped from logs and transcripts altogether. Redaction occurs inline, during transcription, before content is written to storage.

Codebase Indexing (Developers)

If your team connects internal docs/knowledge for better coaching context, Kolby indexes necessary content and associated metadata to enable retrieval.

  • Encryption. Embeddings and documents are encrypted at rest and in transit.
  • Access. Only permitted workspace members can query your indexed sources.
  • Exclusions. You can exclude sources or disable indexing at any time.

Privacy Mode Guarantee

Privacy Mode ensures your data is never used to train base models unless an authorized admin explicitly opts in under additional terms. Enterprise workspaces default to Privacy Mode.

  • Strict routing. Requests labeled “privacy” route only to providers honoring zero-retention/training-off.
  • Defense-in-depth. If a privacy flag is missing, we still handle the request as privacy-on.
  • No training without consent. Opt-in requires explicit admin action and added terms.

Account Deletion

You can delete your account anytime in Settings → Account. Active copies are removed promptly; encrypted backups roll off on a fixed schedule (typically within 30 days). For help, contact support@kolbyai.com.

Vulnerability Disclosure

If you believe you’ve found a security issue, please share steps to reproduce, impact, and affected endpoints. We acknowledge within 5 business days and coordinate remediation and disclosure. Report via support@kolbyai.com.

Data Retention

  • Operational data. Retained only as long as needed to provide the Service and meet legal obligations.
  • Call media/transcripts. Retention is configurable by workspace/plan. Sensitive tokens covered by redaction are not stored.
  • Backups. Encrypted backups follow a fixed window (typically ≤30 days) before automatic deletion.

Incident Response

  • 24/7 monitoring with documented runbooks for containment, eradication, and recovery.
  • We notify admins promptly if an incident poses material risk to your organization or end-customers.

Questions

Need help or security documentation? Contact support@kolbyai.com.