Security

Last updated: Aug 28, 2025

Certifications & Third-Party Assessments

  • Independent reviews. Annual third-party penetration testing and post-major-release reviews. Executive summaries available under NDA.
  • Compliance posture. Controls aligned to SOC 2-style domains (access, change management, vuln mgmt, incident response). For formal reports, contact security@kolbyai.com.

Infrastructure Security

Hosted on reputable cloud providers with least-privilege access, MFA-enforced admin accounts, network controls, and audit logging.

  • Cloud provider. [[ AWS / GCP / AZURE ]], region [[ REGION ]].
  • Perimeter. WAF/CDN (e.g., Cloudflare), TLS 1.2+ everywhere.
  • Secrets. Encrypted via cloud KMS; access is RBAC and audited.
  • Backups. Encrypted, point-in-time policies and restore tests.
  • No China infrastructure. We do not operate in China or use Chinese processors.

Client Security

  • Authentication. Strong password minimums; MFA for admins; SSO/SAML available for Enterprise [[ if enabled ]].
  • Role-based access. Workspace-scoped permissions and segregation.
  • Data minimization. We only process what’s necessary for features you use.

AI Requests

To power real-time coaching and post-call analytics, Kolby may send derived inputs (e.g., transcript text, structured call metadata) to our inference layer and selected model providers. Requests are sent over TLS. We log request metadata for reliability and abuse prevention; we do not log raw audio in analytics tools.

  • Inference only. By default, we do not allow providers to train on your data. See Privacy Mode Guarantee.
  • Customer-managed keys (optional). Enterprise can request stricter routing/retention controls [[ note availability ]].
  • PII handling. If transcripts include personal data, we apply access controls and retention limits per our Privacy Policy.

Codebase Indexing (Developers)

If your team connects internal docs/knowledge for better coaching context, Kolby indexes file metadata and necessary content. You can exclude sources or disable at any time.

  • Encryption. Indexed embeddings/docs encrypted at rest and in transit.
  • Filtering & access. Only permitted workspace members can query your content.
  • Obfuscation options. Enterprise redaction/obfuscation available.

Privacy Mode Guarantee

Privacy Mode ensures your data is never used to train base models unless you explicitly opt in. Enterprise workspaces default to Privacy Mode.

  • Strict routing. Requests marked “privacy” route only to providers honoring zero-retention/training-off.
  • Defense-in-depth. If a privacy flag is missing, we still treat the request as privacy-on.
  • No training without consent. Opt-in only by an authorized admin under additional terms.

Account Deletion

Delete your account any time in Settings → Account. We remove active copies promptly; encrypted backups roll off on a fixed schedule [[ e.g., ≤30 days ]].

Vulnerability Disclosure

Found a security issue? Email security@kolbyai.com with steps, impact, and affected endpoints. We acknowledge within 5 business days and coordinate remediation/disclosure.

Data Retention

  • Operational data kept only as long as needed to provide the service and meet legal obligations.
  • Call media/transcripts retention is configurable by plan.
  • Backups follow a fixed window [[ e.g., 30 days ]] before automatic deletion.

Incident Response

  • 24/7 monitoring, documented runbooks, and rapid containment/eradication/recovery.
  • We notify admins promptly if a breach creates material risk to your org or end-customers.

Questions

Security: security@kolbyai.com · Privacy: privacy@kolbyai.com · Enterprise reviews: sales@kolbera.com