Skip to main content
Kamili CRMMade by Kamili Labs

Last Updated: April 1, 2026

Security Practices

At Kamili Labs, security is foundational — not an afterthought. Here is how we protect your data in Kamili CRM.

1. Encryption

  • In transit: All connections use TLS 1.2+ (HTTPS). API requests, webhooks, and email transmissions are encrypted.
  • At rest: Database storage is encrypted using AES-256. Backups are encrypted before storage.
  • Secrets management: API keys, tokens, and credentials are stored in encrypted environment variables, never in source code.

2. Authentication Security

  • Password hashing: Passwords are hashed using bcrypt with salt rounds, never stored in plain text
  • JWT tokens: Short-lived access tokens (15 min) with secure refresh token rotation (7 days)
  • Two-factor authentication: Optional TOTP-based 2FA via Google Authenticator, Authy, or compatible apps
  • OAuth: Google and Microsoft sign-in via industry-standard OAuth 2.0
  • SSO/SAML: Available for Enterprise customers for centralized identity management
  • Session management: Active session listing, remote session revocation

3. Infrastructure Security

  • Hosting: Deployed on Vercel (frontend) and Railway/Fly.io (backend) with automatic scaling and DDoS protection
  • Database: Managed PostgreSQL on Supabase with automated backups, point-in-time recovery, and row-level security
  • Access control: Strict least-privilege access to infrastructure. Multi-factor authentication required for all team access.
  • Multi-tenancy: Row-level security ensures complete data isolation between organizations. No cross-tenant data leakage is possible at the database level.
  • Rate limiting: API rate limiting by tier via Redis to prevent abuse

4. Incident Response

  • Documented incident response procedures with severity classification (SEV-0 through SEV-3)
  • Monitoring and alerting for anomalous access patterns and system errors
  • GDPR-compliant breach notification within 72 hours to affected users and authorities
  • Post-incident review and remediation for all security events
  • Regular backup testing with 1-hour RPO and 4-hour RTO targets

5. Responsible Disclosure

If you discover a security vulnerability in Kamili CRM, please report it responsibly:

  • Email: security@kamililabsllc.com
  • Include a detailed description of the vulnerability and steps to reproduce
  • Allow us reasonable time to investigate and patch before public disclosure
  • Do not access, modify, or delete data belonging to other users

We appreciate security researchers who help us keep Kamili CRM safe and will acknowledge valid reports.

Questions?

For security-related questions, contact security@kamililabsllc.com. For general inquiries, reach us at support@kamililabsllc.com.