Security and privacy
you can verify

Security practices

Kaimz is engineered so that the security tool itself isn't a new attack surface. The architecture is self-contained inside your network, and every privileged action is authenticated and signed.

• Self-hosted by default. The brain, console and agents run on your infrastructure. No telemetry is sent to a vendor cloud.
• Mutual-TLS agent comms. Agents and the brain authenticate each other over mTLS; traffic is encrypted in transit.
• Cryptographically signed response actions. Remote actions (isolate, kill, quarantine) are ECDSA-signed so a compromised channel can't forge commands to your endpoints.
• MFA and role-based access. Operator accounts support TOTP MFA, conditional access and granular RBAC — least privilege by default.
• Tamper-resistant agents. Single-instance guards, ACL-locked install directories and a self-healing watchdog resist disablement.
• Full audit trail. Detections and every response action are logged and searchable for accountability.

Data & privacy

Because Kaimz is self-hosted, the most sensitive data — your endpoint telemetry, alerts and investigations — never leaves your environment. There's no shared multi-tenant cloud holding your security data.

• Your data, your walls. Telemetry, detections and logs stay on infrastructure you control.
• Threat intel is pulled in, not pushed out. Feeds (NVD, CISA, IOC) are fetched on a schedule and cached locally — we don't exfiltrate your data to enrich a vendor model.
• Minimal marketing data. kaimz.org uses essential cookies only (theme preference). No third-party trackers or ad pixels.
• Bring your own AI. Plug in your own model/API key so AI analysis runs without sending data to a third party.

Read the full Privacy Policy for how we handle contact-form and account data.

Compliance & frameworks

Kaimz is built to help you meet the controls your auditors care about — and Pro/Enterprise generate compliance evidence packs that map live platform signals (EDR coverage, MFA, logging, patch posture) to framework controls.

• Control mapping. The compliance engine evaluates real signals against CIS v8, PCI-DSS v4, HIPAA and ISO 27001, with per-control status and evidence.
• Data residency you choose. Self-hosting means you decide the region and jurisdiction your data lives in — useful for sovereignty and PHIPA/PIPEDA needs.

Honest note: "built to support / aligned to" describes how the platform helps you satisfy these frameworks. Where Kaimz Inc. itself holds a third-party certification or attestation, we'll publish the report here and on request — ask us at contact@kaimz.org.

Responsible disclosure

We welcome reports from security researchers. If you believe you've found a vulnerability in kaimz.org or the Kaimz platform, please tell us before disclosing publicly, and we'll work with you in good faith.

• Report to security@kaimz.org — or see our machine-readable security.txt.
• Safe harbor. Good-faith research that respects user privacy and avoids service disruption won't lead to legal action from us.
• Please don't run automated scanners against production, access other users' data, or perform DoS testing. Email us to coordinate.

Availability & resilience

Security can't have blind spots during an outage. Kaimz agents persist every event to crash-safe local storage and reconcile the full timeline when connectivity returns — no gaps, no duplicates.

• Offline-resilient telemetry. Events survive network drops and sync on reconnect. Read how →
• High availability (Enterprise). Multi-node deployment for the brain and console removes single points of failure.
• You own uptime. Self-hosting means availability is on your infrastructure and SLAs — not a vendor's shared cloud.

Sub-processors

Self-hosting means there are almost no third parties in the path of your security data. For full transparency:

• The platform: runs entirely on infrastructure you provide. Kaimz operates no sub-processor that touches your telemetry in the self-hosted edition.
• This website: hosted on Hostinger; the contact form delivers email via the host's mail service. Public threat feeds (NVD, CISA) are read-only sources.
• Optional "Kaimz-hosted" add-on: if you choose us to run the platform for you, it's deployed in your chosen region with you retaining ownership — documented in the order.