Security — Kaer

isolation

Hardware-virtualized microVMs.

Every Operator task runs in its own Firecracker microVM — separate kernel, separate root filesystem, separate network namespace. A misbehaving sub-task can't see your host or any other tenant's data.

KVM-backed; the same primitive AWS Lambda runs on.
No host filesystem visibility from inside a task.
Default-deny network with per-task egress allowlists.

data

Your data, encrypted at every hop.

TLS 1.3 in transit, AES-256-GCM at rest with per-tenant keys derived via HKDF. Customer secrets sit in a salted vault — they're decrypted only inside the microVM that needs them.

Per-user secret vault, salt-bound to user ID.
Per-task ephemeral credential derivation.
Region-pinned deploys for residency requirements.

auth

Identity that maps to your IdP.

SSO via SAML, OIDC, or SCIM provisioning. Magic-link or OTP for individual tenants. Sessions are HttpOnly + Secure + SameSite-Lax JWTs scoped to the .kaer.ai cookie domain.

SAML 2.0, OIDC, SCIM provisioning.
Per-task action audit log, exportable for compliance.
Granular role-based controls; service-account API keys.

compliance

SOC 2 Type II, in flight.

Currently undergoing the SOC 2 Type II audit. GDPR-compliant by construction (data residency, right-to-erasure, processor agreements available). DPA on request, subprocessor list public.

SOC 2 Type II audit in progress.
GDPR + UK-GDPR compliant.
Customer DPA + subprocessor list available.

isolation

Hardware-virtualized microVMs.

KVM-backed; the same primitive AWS Lambda runs on.
No host filesystem visibility from inside a task.
Default-deny network with per-task egress allowlists.

data

Your data, encrypted at every hop.

TLS 1.3 in transit, AES-256-GCM at rest with per-tenant keys derived via HKDF. Customer secrets sit in a salted vault — they're decrypted only inside the microVM that needs them.

Per-user secret vault, salt-bound to user ID.
Per-task ephemeral credential derivation.
Region-pinned deploys for residency requirements.

auth

Identity that maps to your IdP.

SSO via SAML, OIDC, or SCIM provisioning. Magic-link or OTP for individual tenants. Sessions are HttpOnly + Secure + SameSite-Lax JWTs scoped to the .kaer.ai cookie domain.

SAML 2.0, OIDC, SCIM provisioning.
Per-task action audit log, exportable for compliance.
Granular role-based controls; service-account API keys.

compliance

SOC 2 Type II, in flight.

Currently undergoing the SOC 2 Type II audit. GDPR-compliant by construction (data residency, right-to-erasure, processor agreements available). DPA on request, subprocessor list public.

SOC 2 Type II audit in progress.
GDPR + UK-GDPR compliant.
Customer DPA + subprocessor list available.

Built for trust.
Verified end-to-end.

Hardware-virtualized microVMs.

Your data, encrypted at every hop.

Identity that maps to your IdP.

SOC 2 Type II, in flight.

Have questions? We'll answer them.

Built for trust.
Verified end-to-end.

Hardware-virtualized microVMs.

Your data, encrypted at every hop.

Identity that maps to your IdP.

SOC 2 Type II, in flight.

Have questions? We'll answer them.

Built for trust.Verified end-to-end.

Hardware-virtualized microVMs.

Your data, encrypted at every hop.

Identity that maps to your IdP.

SOC 2 Type II, in flight.

Have questions? We'll answer them.

Built for trust.Verified end-to-end.

Hardware-virtualized microVMs.

Your data, encrypted at every hop.

Identity that maps to your IdP.

SOC 2 Type II, in flight.

Have questions? We'll answer them.

Built for trust.
Verified end-to-end.

Built for trust.
Verified end-to-end.