Security Overview
At Kamili Labs LLC, security is a foundational principle, not an afterthought. Kamili Calendar is designed from the ground up with your data protection in mind. We use industry-standard encryption, rigorous access controls, and regular security audits to ensure your calendar data remains safe.
Encryption
Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.2+ (Transport Layer Security). We enforce HTTPS on all endpoints with HTTP Strict Transport Security (HSTS) headers.
Encryption at Rest: All stored data, including calendar events, personal information, and connected account tokens, is encrypted using AES-256 encryption.
OAuth Token Encryption: Tokens from connected services (Google, Microsoft, etc.) are encrypted before storage. Your third-party passwords are never stored or transmitted through our systems.
Database Encryption: Our database infrastructure uses transparent data encryption, ensuring data is protected even at the hardware layer.
Access Controls
Principle of Least Privilege: Internal access to user data is restricted to personnel who require it to perform their job functions. Access is logged and reviewed regularly.
Multi-Factor Authentication: All internal team members with access to production systems are required to use MFA. We also support MFA for user accounts.
Role-Based Permissions: Our team calendar features use role-based access control (RBAC) so that data is only accessible by authorized team members.
OAuth Scopes: We request only the minimum OAuth scopes necessary for each integration. For calendar sync, we request only calendar read/write access — not access to emails, files, or other data.
Infrastructure Security
Cloud Infrastructure: Kamili Calendar is hosted on enterprise-grade cloud infrastructure with physical security, redundant power, and network isolation.
Network Security: We use firewalls, intrusion detection, and DDoS mitigation to protect our infrastructure from network-level attacks.
Vulnerability Management: We conduct regular vulnerability scans and penetration testing. Critical vulnerabilities are patched within 24 hours of discovery.
Dependency Management: All software dependencies are regularly reviewed and updated. We use automated scanning to detect known vulnerabilities in our dependency tree.
Compliance & Standards
GDPR Compliance: We are fully compliant with the General Data Protection Regulation (GDPR) for EU/EEA users. See our GDPR page for details on data subject rights.
CCPA Compliance: California residents have rights under the California Consumer Privacy Act (CCPA). We do not sell personal information.
SOC 2 Design: Our systems and processes are designed to meet SOC 2 Type II standards for security, availability, and confidentiality.
Google API Policy: Our use of Google Calendar API complies with Google's API Services User Data Policy, including limited use requirements.
Data Handling Practices
Minimal Data Collection: We collect only the data necessary to provide and improve the Service. We do not collect data "just in case" — every data point we collect has a specific purpose.
No Advertising: We do not use your calendar data for advertising or share it with advertising networks. Your scheduling data is your own.
Data Retention Limits: Data is retained only as long as necessary. Account data is deleted within 90 days of account closure. Anonymized analytics data may be retained longer.
Backup Security: All backups are encrypted and tested regularly. Backup access requires the same security controls as production systems.
Incident Response
We maintain an incident response plan to handle security events promptly and transparently. In the event of a data breach that affects your personal data, we will notify affected users within 72 hours of becoming aware of the incident, in accordance with GDPR requirements. Notifications will include the nature of the breach, the data affected, and steps we are taking to address it.
Responsible Disclosure
We take security reports seriously and encourage responsible disclosure. If you discover a potential security vulnerability in Kamili Calendar, please report it to us at security@kamililabsllc.com. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and address it. We aim to respond to all security reports within 48 hours.