Security Policy

We operate an information-security program designed to protect customer data against unauthorised access, disclosure, alteration, and destruction. The program is aligned with recognised industry frameworks, supported by an independent SOC 2 Type II examination, and operated in compliance with the EU and UK GDPR. It is reviewed periodically and updated as the threat landscape and our Services evolve. Security is a shared responsibility: we secure the platform, and customers are responsible for securing their own credentials, configurations, and connected systems.

We enforce the principle of least privilege. Access to production systems and customer data is restricted to authorised personnel based on role and business need, is granted through documented processes, and is reviewed periodically. Access is revoked promptly upon role change or termination. Administrative actions are logged.

We require strong authentication for access to internal systems, including multi-factor authentication for privileged accounts. Passwords are stored using industry-standard salted hashing. We support secure authentication options for customer accounts and encourage customers to enable multi-factor authentication and to use strong, unique credentials.

Data is encrypted in transit using TLS and at rest using strong, industry-standard algorithms such as AES-256. Encryption keys are managed using secure key-management practices with restricted access. We continually review our cryptographic standards to keep pace with best practice.

The Services are hosted on reputable cloud infrastructure providers that maintain robust physical and environmental controls and recognised certifications. Our infrastructure measures include:

• network segmentation and firewalls;
• protection against distributed denial-of-service (DDoS) attacks;
• hardened configurations and regular patching;
• isolation between environments; and
• secure software-development practices and code review.

We monitor our systems and networks for anomalous and malicious activity using logging, alerting, and automated detection. Security-relevant events are recorded and retained to support investigation and response. Monitoring is designed to enable timely detection of potential security incidents.

We maintain regular backups of critical data to support recovery in the event of a failure or incident. Backups are encrypted, access-controlled, and periodically tested for restorability. Our business-continuity and disaster-recovery practices are designed to restore service and data within appropriate timeframes.

We operate a vulnerability-management process that includes regular scanning, timely patching, and remediation prioritised by risk. We conduct periodic security testing, including penetration testing by qualified parties, and remediate identified issues according to their severity.

We maintain a documented incident-response plan covering identification, containment, eradication, recovery, and post-incident review. In the event of a personal-data breach, we will notify affected customers without undue delay in accordance with our Data Processing Agreement and applicable law, and provide information to support customers' own notification obligations.

We welcome reports from the security community. If you believe you have discovered a security vulnerability or have a security concern, please report it responsibly to team@konversation.io with sufficient detail to reproduce and assess the issue. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate, and that you avoid accessing or modifying data that is not your own.

Personnel access to customer data is limited to what is necessary to perform their roles, such as providing support or maintaining the Services. Personnel are subject to confidentiality obligations, receive security-awareness training, and are subject to background checks where permitted by law. Access is monitored and revoked when no longer required. This Policy was last updated on June 15, 2026.