Security
Last reviewed: May 2026
Security is a core part of how we build KlyoChat. This page describes our security practices and how to report vulnerabilities responsibly.
TLS 1.3 in transit, AES-256 at rest. All data encrypted end-to-end.
Hosted on AWS with SOC 2 Type II certified data centers. Multi-AZ deployment.
Role-based access control, MFA enforcement for admin accounts, principle of least privilege.
Regular penetration testing, automated dependency scanning, security code reviews.
Responsible disclosure
If you discover a security vulnerability in KlyoChat, please report it responsibly. Do not exploit the vulnerability or share it publicly before we have had a chance to address it.
To report a vulnerability:
- Email security@klyochat.com with a description of the issue
- Include steps to reproduce, potential impact, and any proof-of-concept
- We will acknowledge receipt within 24 hours and aim to patch critical issues within 7 days
- We will credit responsible disclosures (with your permission)
What's in scope
- klyochat.com and app.klyochat.com
- KlyoChat API (api.klyochat.com)
- Mobile applications (iOS and Android)
Out of scope
- Third-party services we don't control
- Social engineering attacks on employees
- Physical attacks on our infrastructure
- Denial of service attacks
Compliance
- GDPR: Compliant for EU customers. See our Data Processing Agreement.
- CCPA: Compliant for California residents. See our Privacy Policy.
- SOC 2: Report available for enterprise customers under NDA.
Contact
Security issues: security@klyochat.com
General inquiries: hello@klyochat.com