Research Index Coverage Pricing Compliance Terminal →

kavim.io/security

Security & Privacy

How Kavim handles data, access, and disclosure. Last updated May 2026.

1 — Data we collect

Kavim collects the minimum data required to operate the platform and deliver structured intelligence outputs to authenticated users.

Account data

Name, email address, authentication identifiers

Usage data

Page views, feature interactions, session duration

Compliance documents

Stored per-user, encrypted at rest, not shared

Payment data

Processed by Stripe. Kavim stores no card data.

Market data

Derived from public auction records. No personal data.

Analytics

Aggregate, anonymised. No third-party ad tracking.

2 — Access controls

Access to Kavim is gated by role. Authentication is handled via OAuth with signed session tokens. All protected procedures require a valid session; there is no client-side access gating.

Authentication

OAuth 2.0 with signed JWT session cookies

Session expiry

Sessions expire on inactivity and on logout

Role enforcement

Server-side only. Frontend renders UX; backend enforces access.

Admin access

Restricted to designated accounts. No self-serve elevation.

Pilot access

Granted manually after review. Time-limited by default.

3 — Data storage and transit

All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Compliance documents are stored per-user and are not accessible to other users or to Kavim staff outside of support contexts.

Transit encryption

TLS 1.2+ on all endpoints

Storage encryption

AES-256 at rest

Database

Managed cloud database with automated backups

File storage

S3-compatible object storage, non-enumerable keys

Data residency

EU-based infrastructure where available

4 — Third-party services

Kavim uses a limited set of third-party services. No personal data is shared with advertising networks, data brokers, or analytics platforms beyond what is listed below.

Stripe

Payment processing. Subject to Stripe's privacy policy.

Resend

Transactional email delivery. Email addresses only.

Manus

Authentication infrastructure and platform hosting.

5 — Responsible disclosure

If you identify a security vulnerability in the Kavim platform, please report it to us before public disclosure. We commit to acknowledging reports within 48 hours and to providing a resolution timeline within 7 business days for confirmed vulnerabilities.

Security reports: [email protected]. Please include a description of the vulnerability, steps to reproduce, and any relevant technical details. We do not operate a bug bounty programme at this time.

6 — Privacy and data requests

To request access to, correction of, or deletion of personal data held by Kavim, contact [email protected]. We will respond within 30 days. Users in the European Economic Area have additional rights under GDPR.