Security
Multi-tenant isolation
Cross-tenant data access is structurally impossible in any code path. Every database query is scoped by tenantId at the query layer. No shared tables or shared identifiers between tenants.
Encryption
TLS 1.3 is enforced on all endpoints. All data is encrypted at rest. Authentication tokens are encrypted and short-lived. No sensitive data is stored in URL parameters.
Authentication
Auth0 JWT for business console users. Mobile JWT with short-lived tokens for customer app sessions. Twilio Verify for phone OTP. No passwords stored.
Payment security
Stripe handles all card data. Kyouz never stores or transmits card numbers. Stripe webhook signature verification is enforced on all payment events.
Feature gate enforcement
All feature gates are enforced server-side. UI-level gating is a convenience only — the API rejects requests from ungated tenants independently of what the UI shows.
Audit logging
Every staff action is logged with actor identity, timestamp, entity type, and before/after state. Logs are non-deletable. Exportable on Pro and Enterprise plans.
Vulnerability disclosure
If you believe you have found a security vulnerability, please disclose it responsibly. Email security@kyouz.com. We ask that you do not publish the vulnerability publicly before giving us a reasonable opportunity to investigate.
SOC 2 roadmap
We are building toward SOC 2 Type II certification. Audit logging, access controls, and change management processes are designed to meet these standards.