Security, by default.
We connect to the systems running your plant, so earning your security team's trust is the product. Here is how your data is isolated, encrypted, governed, and retained — in plain terms.
We operate to SOC 2 Type II and ISO 27001 control frameworks and are GDPR-aligned. Current audit reports and certification status are shared under NDA during security review — request a brief below.
Tenant isolation
KaizenFlow is multi-tenant with strict logical isolation. Every database query is scoped by tenant ID, so one organization’s manufacturing data is never reachable by another. Isolation boundaries are verified through regular security review.
Encryption
Data is encrypted in transit with TLS 1.3 and at rest with AES-256. Connector credentials (MES, SCADA, ERP, historian) are encrypted with Fernet symmetric encryption and never logged in plaintext.
Authentication & access control
JWT-based authentication with configurable token lifetimes, role-based access control across four roles (Admin, Manager, Engineer, Viewer), and rate limiting on sensitive endpoints. Every recommendation and action is attributable and audit-logged.
Data ownership & retention
Your data is yours. Manufacturing metrics are retained per your organization settings (default 12 months) and audit logs for 24 months. On termination, all data is permanently deleted within 30 days following a data-export window.
AI subprocessors
AI analysis uses vetted model providers (OpenAI, Anthropic) under contractual data-protection obligations. We do not sell your data or use it to train third-party models. AI output is advisory — final decisions remain with your team. The full subprocessor list is in our Privacy Policy.
Reliability & availability
We target 99.9% uptime and connect on top of your existing stack — no rip-and-replace, no single point of failure introduced into your line. Enterprise deployments support data-residency requirements and private VPC isolation.
Responsible disclosure
If you believe you have found a security vulnerability, email [email protected]. We acknowledge reports promptly, investigate every submission, and will not pursue good-faith researchers who follow coordinated disclosure.
Request a security brief.
Architecture diagrams, the subprocessor list, data-flow documentation, and current audit status — sent to your security and procurement teams.
Request security brief →