​

Security & Compliance

Kaanha AI is designed with security-first principles across authentication, data storage, transmission, and access control. This page describes the controls that protect your account and your customers’ data.

---

​

Authentication & Access Control

​

Login Security

• Email + password — primary sign-in method on all plans
• Password policy: minimum 8 characters, must include uppercase, lowercase, and a digit
• Account lockout: 5 consecutive failed login attempts triggers a 30-minute lock
• Session lifetime: 24-hour absolute maximum — sessions expire automatically
• Sessions are invalidated immediately when you change your password

​

Multi-Factor Authentication (MFA)

MFA uses TOTP (Time-based One-Time Passwords) — compatible with Google Authenticator, Authy, and 1Password. Enable MFA:

1. Go to Profile → Security
2. Click Enable 2-Factor Authentication
3. Scan the QR code with your authenticator app
4. Enter the 6-digit code to confirm
5. Save your backup codes in a secure location

Backup codes: 10 single-use codes are generated at setup. Use one to regain access if you lose your authenticator, then reconfigure MFA immediately.

We strongly recommend all team members enable MFA, especially OWNER and ADMIN roles.

---

​

Data Encryption

​

Credentials at Rest

All third-party API credentials and tokens your organisation stores in Kaanha AI (WhatsApp, payment gateways, Slack, Twilio, Instagram, CRM keys) are encrypted at rest using AES-256-GCM before being written to the database.

• Encryption keys are never stored alongside the data they protect
• Key rotation is supported without downtime — the platform uses versioned ciphertext so old credentials remain readable during a rotation window, then the old key is removed
• Plaintext credential values are never returned in API responses — they are masked

​

Passwords

User passwords are hashed using bcrypt with a strong work factor. Plaintext passwords are never stored or logged anywhere in the system.

​

Tokens

Password reset tokens and email verification tokens are stored as SHA-256 hashes — the raw token is sent only in the email link and is never retrievable after generation.

​

Data in Transit

All traffic between your browser, the Kaanha AI platform, and the Meta Cloud API is encrypted via TLS 1.2+. The platform enforces HTTPS with HTTP Strict Transport Security (HSTS).

---

​

GDPR Compliance

Kaanha AI provides the tools you need to meet your GDPR obligations as a data controller.

​

Data Export (Right of Access / Portability)

Download a complete copy of your organisation’s data at any time:

1. Go to Profile → Privacy & Data
2. Click Export My Data
3. A ZIP file downloads immediately containing:
   • All contacts and their attributes
   • All messages and conversations
   • AI conversation logs
   • Billing history and invoices
   • Your organisation’s audit log

​

Account Deletion (Right to Erasure)

1. Go to Profile → Privacy & Data → Delete Account
2. Re-enter your password to confirm
3. Click Permanently Delete

This triggers a cascading hard delete — your organisation, all users, contacts, conversations, messages, AI agents, flows, templates, and billing records are permanently removed.

⚠️ This action cannot be undone. Export your data first if you need a copy.

​

Data Retention

• Messages and conversations: 90 days by default (configurable per organisation)
• Media files: 30 days by default
• Audit logs: 365 days (fixed — required for security monitoring)

​

Sub-processors

Kaanha AI uses the following sub-processors to deliver the service: A Data Processing Agreement (DPA) is available for organisations that require one. Contact support@kaanha.ai.

---

​

WhatsApp Compliance

​

Opt-In Enforcement

Kaanha AI enforces Meta’s opt-in policy at the API layer. Every outbound message — across all 13 supported message types — is blocked if the contact has not explicitly opted in. This check cannot be bypassed through the dashboard or the API. Opt-In Sources:

​

Opt-Out Handling

When a contact replies with any of these keywords, they are immediately and automatically opted out — no further messages are sent and they receive a confirmation: STOP · UNSUBSCRIBE · CANCEL · QUIT · END · BLOCK

​

AI Transparency (Meta Policy)

All AI Agent conversations display a mandatory disclosure to the contact before the first AI response:

“You are chatting with an AI assistant. Reply HUMAN at any time to speak with a person.”

If the disclosure message fails to send, the platform retries before allowing the AI to respond. Contacts who reply HUMAN (or any of 12 similar keywords) are immediately transferred to a human agent.

---

​

Audit Logging

Every security-relevant action in your organisation is logged with a timestamp, the user who performed it, their IP address, and contextual details. Logs are retained for 365 days. View your organisation’s audit log at Settings → Audit Log (OWNER and ADMIN roles only).

---

​

Security Headers

All responses from app.kaanha.ai include the following security headers:

---

​

Rate Limiting

The platform applies rate limiting at multiple layers to protect against abuse:

• Global: 120 requests per minute per IP address
• Per recipient: 20 WhatsApp messages per hour per contact number
• Broadcasts: Frequency cap of 1 MARKETING message per contact per 24 hours

Rate limit responses return HTTP 429 with a Retry-After header.

---

​

Responsible Disclosure

If you discover a security vulnerability in Kaanha AI, please report it responsibly:

• Email: security@kaanha.ai
• Do not open a public GitHub issue or disclose publicly before we’ve had a chance to address it

Our commitments:

• Acknowledge your report within 48 hours
• Provide a resolution timeline within 5 business days for critical issues
• Credit researchers who responsibly disclose (if desired)

We do not pursue legal action against researchers who act in good faith under this policy.