We treat security as a shipping requirement, not a checklist. This page documents the controls in place today and how to reach us if something doesn’t look right.
Data in transit
- TLS 1.2+ enforced at the edge for both
api.kunavo.comandkunavo.com. - HSTS enabled with a 12-month max-age.
- OAuth callbacks pinned to verified redirect URIs; magic-link tokens single-use and short-lived.
Data at rest
- Account, billing and usage data stored in Fly Postgres with multi-region encrypted backups.
- API keys stored as one-way hashes; the plaintext is shown only at creation.
- User uploads served from a neutral, dedicated bucket (
files.kunavo.com) using credentials scoped to that bucket only.
Access controls
- Principle of least privilege: production access limited to a small list of authorized engineers.
- Two-factor authentication required on every infrastructure provider.
- Audit logs retained for administrative actions in the admin console.
Reliability
- Multi-vendor hot failover for upstream models — see the homepage and Terms for limitations.
- Status page at kunavo.com/status.
- Per-dispatcher TTFB and disconnect-rate monitoring; user-visible incidents are post-mortemed in /changelog.
Responsible disclosure
If you believe you’ve found a security vulnerability, please email security@kunavo.com with steps to reproduce. We acknowledge reports within 48 hours and do not pursue good-faith researchers.