Kikashi Security Overview

Last Updated: November 26, 2025

This document provides a high-level summary of Kikashi's security practices for customers, prospects, and auditors. If you have questions, contact us at legal@kikashi.io.

1. Company & Service Overview

Kikashi is a cloud-based SaaS platform that helps teams organize work using Kanban-style boards, automate workflows, and collaborate on projects. Kikashi is designed for business use and processes data provided by our customers and their authorized users.

Core Security Goals

  • Protect the confidentiality, integrity, and availability of customer data
  • Provide transparent, auditable security controls
  • Align with industry best practices and frameworks such as SOC 2

2. Security Program & Governance

Kikashi maintains a formal information security program overseen by the CTO.

Key Elements

  • Documented Information Security Policy and supporting procedures
  • Regular risk assessments to identify and treat security risks
  • Defined roles and responsibilities for security and privacy
  • Management review of security posture at least annually and after major changes

Security is embedded in product, engineering, and operational processes, not treated as an afterthought.

3. Data Protection & Privacy

3.1 Data Types

Kikashi may process the following categories of data (configurable per customer):

  • Account data: names, emails, usernames, avatars, and profile details of users
  • Application data: boards, lists, cards, checklists, attachments, comments, labels, custom fields, and automation rules
  • Metadata: action history, system events, and configuration details

Kikashi does not intentionally collect special categories of data (e.g., health, financial, or biometric data) unless explicitly agreed with a customer.

3.2 Data Location & Hosting

  • Hosted on Supabase (PostgreSQL on AWS) with Google Cloud Storage for file attachments, in us-east-1
  • All production systems are deployed in hardened, managed cloud environments
  • No on-premise infrastructure is used for production services

3.3 Encryption

  • In transit: All connections to Kikashi are protected using TLS 1.2+
  • At rest: Customer data stored in databases, file/object storage, and backups is encrypted at rest using industry-standard algorithms (e.g., AES-256 or the cloud provider's default encryption)
  • Key management: Encryption keys are managed via the cloud provider's Key Management Service (KMS) with strict access controls and logging

3.4 Access Control & Authentication

  • Least privilege: Access to production systems and customer data is restricted to authorized personnel with a documented business need
  • Role-based access control: Application roles restrict what users can view and modify
  • Admin access: Elevated internal access is tightly limited, logged, and periodically reviewed
  • Multi-factor authentication (MFA): Enforced for internal admin accounts and production infrastructure access
  • Optional SSO integration: Available with customer identity providers (e.g., Okta, Google Workspace, Azure AD) where supported by the product

4. Application & Infrastructure Security

4.1 Secure Development Lifecycle

Kikashi follows a lightweight but structured secure development lifecycle (SDLC):

  • Code reviews for all changes to production code
  • Use of source control (e.g., Git) with protected branches
  • Automated CI/CD pipelines for build, test, and deployment
  • Dependency scanning for known vulnerabilities in third-party libraries
  • Separation of development, staging, and production environments

4.2 Infrastructure & Network Security

  • All production systems run in isolated virtual private cloud (VPC) networks
  • Security groups / firewall rules restrict network access to required ports and services
  • Access to production infrastructure uses strong authentication, MFA, and is limited to a small number of engineers
  • Configuration is managed using infrastructure-as-code where possible to ensure consistency and auditable changes

5. Logging, Monitoring & Alerting

Kikashi maintains centralized logging and monitoring across the platform:

  • Application and infrastructure logs aggregated into central log storage
  • Monitoring for availability, performance, and error rates
  • Alerts for critical conditions (e.g., service degradation, unusual errors) routed to the on-call team
  • Logs are retained for at least 30 days for troubleshooting and security investigations

6. Vulnerability Management & Testing

  • Regular vulnerability scanning of infrastructure and key services
  • Prioritization and remediation of vulnerabilities based on risk and severity
  • Dependency and container image scanning as part of CI/CD (where applicable)
  • Periodic penetration testing by independent security firms
  • A documented process for tracking and closing security issues

7. Business Continuity & Disaster Recovery

Kikashi is designed for high availability and resilience:

  • Use of managed database services with automatic backups
  • Automated daily backups of critical data, stored in encrypted form
  • Backups are tested periodically via restore exercises
  • Redundancy across multiple availability zones within the primary region (where supported by the cloud provider)
  • Documented Disaster Recovery (DR) procedures

Recovery objectives:

  • RPO (Recovery Point Objective): ≤ 24 hours
  • RTO (Recovery Time Objective): ≤ 24 hours

8. Incident Response

Kikashi maintains an Incident Response Plan that defines:

  • Criteria for classifying security incidents
  • Incident response roles and responsibilities
  • Steps for detection, containment, eradication, and recovery
  • Post-incident review and remediation of root causes
  • Customer notification procedures in line with legal and contractual requirements

Security incidents that affect customer data or service availability are treated with the highest priority.

9. Vendor & Subprocessor Management

Kikashi uses third-party service providers (subprocessors) to deliver the service (e.g., hosting, analytics, email delivery).

  • All critical vendors are vetted for security and compliance (e.g., SOC 2, ISO 27001)
  • A vendor inventory and risk assessment is maintained and reviewed periodically
  • Data processing terms are included in contracts with subprocessors

A current list of subprocessors can be provided upon request.

10. Customer Responsibilities

Security is a shared responsibility between Kikashi and its customers. Customers are responsible for:

  • Managing user accounts and permissions within their organization
  • Protecting authentication credentials and enforcing internal policies (e.g., MFA, SSO)
  • Configuring integrations and data flows according to their risk appetite
  • Complying with applicable laws and regulations in their use of Kikashi

Kikashi is committed to working collaboratively with customers to support their security and compliance needs.

11. Contact Us

Wolfe Collective, LLC
Owner: Matthew Wolfe, CTO
Email: legal@kikashi.io

For questions about our security practices, please reach out using the contact information above.