Last updated 28 June 2026
This Security Policy is a version 1 document and is pending final legal and security review. It describes our current security posture and may be updated as our program matures.
Kapalins Pty Ltd builds AI security and governance software, and we hold our own platform to the standards we ask our customers to meet. This Security Policy summarises the technical and organisational controls we use to protect our platform and the data entrusted to us. It is written to be accurate about what we do today, and honest about the parts of our program that are still maturing.
Our platform and supporting systems run on Google Cloud Platform, primarily in the Australian (Sydney, australia-southeast1) region. Per-tenant data residency in other regions is on our roadmap. We rely on Google Cloud's underlying physical, network and infrastructure security controls, and we operate our own application-layer controls on top of them.
All traffic to and within our services is encrypted in transit using TLS 1.3. Data at rest is protected by the encryption provided by our cloud platform.
Customer environments are logically isolated from one another using row-level scoping and per-tenant separation, so that one tenant cannot access another tenant's data. Isolation is enforced consistently across the application and data layers.
We apply least-privilege identity and access management (IAM) across our infrastructure and services. Privileged operator access is restricted and subject to four-eyes controls, so that sensitive operations require a second authorised person. User authentication is provided through Google Identity Platform.
We maintain full audit logging of activity across the platform and monitor for anomalous or unauthorised behaviour. Our AI gateway inspects model traffic to enforce policy and to detect misuse in line with the protections we provide to customers.
We maintain a documented incident-response process and a Notifiable Data Breach process. If a data breach occurs that is likely to result in serious harm, we will assess it and, where required, notify affected parties and the relevant regulator in accordance with the Notifiable Data Breaches scheme under the Australian Privacy Act and any other applicable law.
Independent third-party penetration testing is conducted as part of go-live. We are also building towards formal independent assurance: SOC 2 and ISO/IEC 27001 are part of our roadmap and are in progress. We do not currently hold these certifications, and we will not represent that we do until they are formally awarded.
We welcome reports from security researchers and operate a coordinated vulnerability-disclosure channel. If you believe you have found a security vulnerability in our website or platform, please email [email protected] with enough detail for us to reproduce the issue. Please act in good faith, avoid accessing or modifying data that is not yours, and give us a reasonable opportunity to investigate and remediate before any public disclosure. We will acknowledge legitimate reports and work with you on a resolution.
For security questions or to report a vulnerability, contact [email protected]. For privacy matters, see our Privacy Policy or contact [email protected].
Kapalins Pty Ltd — Australia.
A 30-minute walkthrough of the Trust Index, the three observation modes and your regulator’s evidence chain — on your estate.