Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.kaanha.ai/llms.txt

Use this file to discover all available pages before exploring further.

Security & Compliance

Kaanha AI is operated by White Lions Group Pty Ltd (Australia), trading as Kaanha AI. This page describes the security controls, compliance posture, and operational practices that protect your account, your customers’ data, and the messaging, voice, and AI workflows you build on the platform. Effective date: April 26, 2026

Compliance Posture

Be precise about what we are and what we aren’t. This page does not market certifications we have not earned.

What we are

  • GDPR-compliant — Articles 6, 13/14, 15–22, 28, 33, and 35 controls implemented; DPA available
  • CCPA / CPRA-compliant — full California consumer rights with 45-day response window
  • TCPA-compliant — prior-express-consent, STOP/HELP, quiet-hours, and DNC enforcement at the platform layer (cannot be overridden by tenants)
  • Meta WhatsApp Business Policy-enforced — opt-in, opt-out, AI disclosure, and human escalation gated at the API layer
  • CTIA Messaging Principles aligned for SMS
  • Australian Privacy Act 1988 + Australian Privacy Principles (APP 1–13) aligned
  • SOC 2-mapped — controls aligned to Trust Service Criteria CC6, CC7, CC8, A1, PI1

What we aren’t (yet)

  • NOT SOC 2 Type II certified — full Type II audit is planned (target H2 2026)
  • NOT ISO 27001 certified — under evaluation
  • NOT HIPAA-compliant — Kaanha AI is not in scope for healthcare (PHI) workloads. Do not use the platform to transmit Protected Health Information
  • PCI DSS is not directly handled — Stripe (PCI Level 1) processes all card data; Kaanha AI never sees card numbers
Legal entityWhite Lions Group Pty Ltd
Trading nameKaanha AI
Registered countryAustralia
Security disclosuresecurity@kaanha.ai
Privacy / GDPR / CCPAprivacy@kaanha.ai
Legal / data requestslegal@kaanha.ai

Authentication & Access Control

Login security

  • NextAuth.js v4 session layer with JWT, 24-hour absolute maximum session age
  • Sessions are immediately invalidated when a user changes their password (passwordChangedAt check)
  • Passwords are hashed with bcrypt at cost factor 12
  • Password policy: minimum 8 characters, must contain uppercase, lowercase, and a digit; cannot reuse any of the last 5 passwords
  • Account lockout: 5 consecutive failed login attempts trigger a 30-minute lock; the counter resets on successful login or password reset
  • All failed-login attempts are written to the audit trail with email, IP, and attempt count

Multi-factor authentication (MFA)

MFA uses TOTP (Time-based One-Time Passwords) — compatible with Google Authenticator, Authy, and 1Password.
  • Backup codes: 10 single-use codes are generated at setup. Use one to regain access if you lose your authenticator, then reconfigure MFA immediately
  • Brute-force protection: 5 verification attempts per 15-minute window per userId (keyed on the server-resolved user ID, not IP or email — defeats NAT-rotation and email-spoofing bypasses)
  • On exceedance the platform returns HTTP 429 with Retry-After: 900 and writes MFA_RATE_LIMITED to the audit log
  • The 5-attempts-per-15-minutes ceiling caps the searchable 6-digit TOTP space at 0.014% per window — well below brute-force feasibility
We strongly recommend all team members enable MFA, especially OWNER and ADMIN roles.

API keys

  • Bearer-token authentication
  • Optional expiry per key
  • Last-used timestamp tracked
  • Rotatable without service disruption
  • Each key is scoped to a single organization — cross-tenant access is denied at the auth layer
  • Key creation, rotation, and revocation events are written to the audit log

Data Encryption

At rest

All third-party API credentials and tokens stored in Kaanha AI are encrypted at rest using AES-256-GCM before being written to the database. Coverage spans 15+ credential fields across all integrations:
  • WhatsApp Cloud API access tokens
  • Stripe / Razorpay / PayPal secret keys
  • Slack bot/user tokens
  • Voice provider keys (Sarvam, Deepgram, ElevenLabs, Twilio)
  • Connect bridge credentials
  • AI provider keys (OpenAI, Anthropic, Google)
  • CRM and webhook secrets

In transit

  • TLS 1.2+ enforced on every connection
  • HSTS with max-age=31536000; includeSubDomains advertised on every response
  • HTTP requests are redirected to HTTPS at the edge

Key management & rotation

The platform uses versioned ciphertext with two environment variables:
  • ENCRYPTION_KEY — current key
  • ENCRYPTION_KEY_PREV — previous key
During a rotation window, both keys are accepted for decryption while writes use the new key. Once all rows are re-encrypted, the previous key is removed. No downtime, no plaintext exposure.

Password & token hashing

  • User passwords: bcrypt at cost factor 12 — never stored or logged in plaintext
  • Password reset tokens: stored as SHA-256 hashes — the raw token is sent only via email and is never retrievable after generation
  • Email verification tokens: same SHA-256 hash treatment
  • Plaintext credentials are never returned in any API response — they are masked

Multi-Tenant Isolation

Kaanha AI is a multi-tenant SaaS — every customer organization is logically isolated.
  • Query scoping: every database read and write is scoped to organizationId from the authenticated session. Cross-tenant queries are rejected at the API layer
  • Composite unique constraints prevent ID collisions across organizations
  • Webhook handlers verify HMAC signatures and map the inbound payload to the correct organization before any data is read or written
  • API keys carry organization scope; an API key issued to Org A cannot read or write Org B
  • Audit logs are partitioned by organizationId — admins of Org A cannot see Org B’s events
  • Voice agents sync to the engine with organizationId baked into the agent ID space — call routing is unambiguous

Account Security & Hardening

Cross-site request forgery (CSRF)

Origin header validation on every state-changing request. Requests with mismatched or missing origins are rejected.

Server-side request forgery (SSRF)

A shared url-safety.js utility blocks outbound requests to:
  • Private IP ranges (RFC 1918, link-local, loopback)
  • Cloud metadata endpoints (169.254.169.254, fd00:ec2::, etc.)
  • localhost / 127.0.0.0/8 / ::1
Any user-supplied URL (webhook target, knowledge-base source, AI tool URL) passes through this filter before fetch.

Webhook signature verification

All inbound webhooks require HMAC-SHA256 verification:
  • TwilioX-Twilio-Signature validated against full request URL + body
  • Meta WhatsAppX-Hub-Signature-256 validated against payload
  • Stripe — Stripe signature verified before any payload action
  • Voice engine callbacks — HMAC on /api/voice-agents/tool-call and /api/voice-agents/webhook with fail-closed behaviour (a missing or invalid signature returns 401 — there is no bypass for missing secrets)

Rate limiting

SurfaceLimit
Default per-IP120 requests / minute
Forgot-password10 / hour per IP + 3 / hour per email
MFA verify5 / 15 minutes per userId
Signup120 / minute per IP
Per-recipient WhatsApp20 messages / hour per contact
Marketing broadcast1 message per contact per 24 hours
Rate-limited responses return HTTP 429 with a Retry-After header.

Account enumeration resistance

  • Signup: when an email is already registered, the route returns a generic 200 success identical in shape to a brand-new signup. Timing is equalized via a constant-time bcrypt.hash (cost 12, ~200ms). Unique-constraint failures are mapped to the same generic 200
  • Forgot-password: always returns the same success message regardless of registration status. The not-found branch performs a dummy bcrypt.hash (~80ms) to match the bcrypt-class work performed in the exists branch
  • Result: no error message, status code, response shape, or response timing can be used to determine whether an email is registered

Security Headers

Every response from app.kaanha.ai carries the following headers: 
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: frame-ancestors 'none'; base-uri 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin

Audit Logging

Every security-relevant event is written to a tamper-evident audit log with userId, IP address, timestamp, and contextual details. Logs are retained for 365 days and are searchable per organization.
CategoryExamples
AuthenticationLogin success/failure (with attempt count), account locked, MFA enabled/disabled/verified, MFA rate-limited
CredentialsPassword changed, password reset requested, API key created/rotated/revoked
DataContact data exported, account deletion initiated, bulk-delete actions
AdminRole changes, team-member invited/removed, feature overrides applied, tier-matrix edits
APIAPI key authentication, last-used tracking, scope-violation attempts
WebhooksInbound signature verification result, organization mapping outcome
VoicePer-call audit row (start, end, duration, agent, contact, outcome)
ComplianceOpt-in source, opt-out keyword match, AI disclosure send, human-handover triggers
OWNER and ADMIN roles can view their organization’s log at Settings → Audit Log.

Data Retention

Retention is configurable per organization where indicated; audit retention is fixed.
Data classDefaultConfigurable?
Messages & conversations90 daysYes
Media (images, audio, video)30 daysYes
AI conversation logs90 daysYes
Audit logs365 daysNo (fixed for security monitoring)
Account deletion completion30 daysNo (includes backup purge)
When account deletion is initiated, all live data is purged immediately and backup copies are purged within the 30-day backup-retention window.

GDPR Compliance

Kaanha AI provides the controls you need to meet your obligations as a data controller under the EU General Data Protection Regulation.

Legal bases (Article 6)

  • Contract — providing the platform you’ve subscribed to
  • Legitimate interest — service security, fraud prevention, billing
  • Consent — AI processing of message content (granular, revocable)
  • Legal obligation — tax records, lawful access requests

Notice (Articles 13/14)

Privacy notice published at /privacy covering categories of data, purposes, recipients, retention, and rights.

Data subject rights (Articles 15–22)

RightHow
Access (Art. 15)Self-service export at Profile → Privacy & Data → Export My Data — ZIP of contacts, messages, AI logs, billing, audit log
Rectification (Art. 16)Edit profile, contact, and organization data directly in the UI
Erasure (Art. 17)Self-service delete at Profile → Privacy & Data → Delete Account with password re-auth
Restriction (Art. 18)Email privacy@kaanha.ai
Portability (Art. 20)Export delivers structured JSON / CSV — re-importable into other systems
Objection (Art. 21)Email privacy@kaanha.ai
Automated decision-making (Art. 22)AI-assisted routing can be disabled per-organization

Data Processing Agreement (Article 28)

A DPA is published at /dpa and is automatically incorporated into our Terms for customers processing personal data of EU residents.

Breach notification (Article 33)

Kaanha AI commits to notifying affected customers of personal data breaches within 72 hours of becoming aware. See Incident Response below.

DPIA assistance (Article 35)

We provide architecture and data-flow documentation to assist customers conducting Data Protection Impact Assessments. Email privacy@kaanha.ai.

CCPA / CPRA Compliance

For California residents, Kaanha AI honors the full set of consumer rights under the California Consumer Privacy Act / California Privacy Rights Act:
  • Right to know — categories of personal information collected, sources, purposes, and recipients
  • Right to delete — self-service via Profile → Privacy & Data
  • Right to correct — edit profile and organization data in-product
  • Right to opt out — Kaanha AI does not sell or share personal information for cross-context behavioral advertising; no opt-out is required because no sale occurs
  • Right to non-discrimination — exercising rights does not affect service quality or pricing
Response window: 45 days from receipt (extendable once by 45 days with notice).

Australian Privacy Act 1988 (APP)

As an Australian-domiciled operator, Kaanha AI aligns with the Australian Privacy Principles:
APPTopicImplementation
APP 1Open and transparent managementPrivacy Policy at /privacy
APP 2Anonymity and pseudonymityRead-only browsing without account creation
APP 3–5Collection of personal informationCollected only for stated purposes, with notice
APP 6Use and disclosureRestricted to disclosed sub-processors
APP 7Direct marketingOpt-in enforced; opt-out respected
APP 8Cross-border disclosureSub-processor list at /sub-processors
APP 9Government identifiersNot requested or stored
APP 10QualitySelf-service correction tools
APP 11SecurityControls described on this page
APP 12AccessSelf-service export
APP 13CorrectionSelf-service rectification

WhatsApp Compliance (Meta Business Policy)

Kaanha AI enforces Meta’s commerce and messaging policies at the API layer — these checks cannot be bypassed by tenants.

Opt-in enforcement

Every outbound message — across all 13 supported message types — is blocked unless the contact has explicit opt-in.
SourceHow it’s recorded
ManualAgent toggles opt-in from the Contacts page
InboundContact messages you first → automatic opt-in
CSV importOpt-in flag included in import file
APIPOST /api/contacts with "optedIn": true

Opt-out automation

When a contact replies with any of these keywords, they are immediately and automatically opted out, no further messages are sent, and a confirmation is delivered: STOP · UNSUBSCRIBE · CANCEL · QUIT · END · BLOCK

AI transparency (mandatory disclosure)

All AI Agent conversations send the following disclosure to the contact before the first AI response:
“You are chatting with an AI assistant. Reply HUMAN at any time to speak with a person.”
If the disclosure send fails, the platform retries before allowing AI generation. This guarantees the contact is informed before any AI content reaches them.

Human escalation guarantee

Contacts who reply HUMAN (or any of 12 similar keywords) are immediately transferred to a human agent — the AI does not respond, and the conversation is routed to the inbox queue.

Marketing frequency cap

One MARKETING category template per contact per 24 hours, in addition to Meta’s own quality-rating limits.

SMS Compliance (TCPA, CTIA, Twilio AUP)

Kaanha AI’s SMS path enforces:
  • Prior express consent — opt-in is required before any SMS is sent
  • STOP / HELP keywords processed automatically — STOP unsubscribes immediately, HELP returns brand and contact info
  • CTIA Messaging Principles — content categories, frequency disclosures, registered short-code/10DLC compliance via Twilio
  • Twilio Acceptable Use Policy — prohibited content (SHAFT, fraud, etc.) blocked at template approval
  • Quiet hours — 8 PM – 8 AM recipient-local time honored on marketing campaigns

Voice Compliance (Rolling Out)

Voice features are gated behind feature flags during a staged rollout. The compliance and security envelope is:
  • TCPA — voice campaigns require prior express written consent; recorded-message restrictions enforced
  • 2-party consent recording — call recording is opt-in for the contact; the AI agent announces recording at call start
  • DNC (Do Not Call) — automated DNC list scrubbing before outbound dial
  • AI disclosure — voice agent identifies itself as AI within the first 5 seconds (per California SB-1001 and platform policy)
  • HMAC verification — engine callbacks (/api/voice-agents/tool-call, /api/voice-agents/webhook) require HMAC-SHA256; missing or invalid signatures return 401 with no bypass
  • ENGINE_WS_SECRET fail-closed — the WebSocket bridge refuses connections without a valid secret; there is no missing-secret development bypass
  • Twilio signature verification on the inbound voice webhook
  • Per-call audit log with start, end, duration, agent, contact, outcome
  • Real-time stream is TLS-encrypted between Twilio, the engine, and the AI providers
  • Sub-processor disclosure — voice routes data through Sarvam, Deepgram, and Google (Gemini); fully disclosed at /sub-processors

AI Compliance

  • Meta Business Platform — Task-Specific AI Policy (effective Jan 2026): AI models on the platform are restricted to task-specific assistance (customer service, knowledge retrieval, scheduling). General-purpose chat is not enabled by default. Prohibited categories (medical, legal, financial advice without disclaimer) are filtered
  • EU AI Act: Kaanha AI’s AI features fall under the limited-risk classification — transparency obligation is satisfied by the mandatory AI disclosure described above
  • California SB-1001 (Bot Disclosure Act): AI agents identify themselves as automated to California recipients
  • Content safety filtering — provider-side moderation (OpenAI, Anthropic, Google) and platform-side keyword filters block prohibited content categories
  • Customer control — every AI behavior knob (model, temperature, system prompt, allowed tools, knowledge sources) is UI-controllable per organization. There are no backend hardcoded overrides

Mobile App Security

The Kaanha AI mobile app (iOS and Android) consumes the same APIs as the web platform with the same authentication and authorization model.
  • Authentication — bearer-token fallback for native clients; full session-equivalent protections
  • Biometric login — Face ID / Touch ID. The biometric template is stored on-device only in the Apple Secure Enclave or Android Trusted Execution Environment; it is never transmitted to Kaanha AI servers
  • Push notifications — delivered via Expo Push Service to Apple APNs and Google FCM. Push payloads do not contain message bodies — they trigger an authenticated fetch
  • Offline mode — local cache is encrypted at rest using OS-provided storage (iOS Keychain / Android Keystore)
  • App Store distribution — submitted and verified through Apple App Store Connect and Google Play Console with full Data Safety / Privacy disclosures

Sub-Processors

Kaanha AI uses a defined set of sub-processors to deliver the service. Full canonical list — including data categories, regions, and DPAs — is published at /sub-processors. Always-active (every customer):
Sub-processorPurposeRegion
Railway CorporationCloud hosting, PostgreSQL, RedisUnited States
Meta PlatformsWhatsApp Cloud APIGlobal
Microsoft 365Email delivery (M365 Graph API)United States
StripePayment processing (USD)United States
Conditional (active when a customer enables the feature):
Sub-processorActivation triggerRegion
TwilioSMS or voice channel configuredUnited States
OpenAIOpenAI model selected on an AI agentUnited States
AnthropicAnthropic model selected on an AI agentUnited States
GoogleGemini selected (voice or chat) or Google OAuth loginUnited States
Sarvam AIVoice agent uses Sarvam STT/TTSIndia
ElevenLabsVoice agent uses ElevenLabs welcome / TTSUnited States
DeepgramVoice agent uses Deepgram STTUnited States
Optional / inactive for new customers:
Sub-processorStatus
RazorpayINR payment processing — not enabled for new tenants
PayPalLegacy payment option — not enabled for new tenants
Notice & objection: customers receive at least 30 days’ notice before any new sub-processor is added or replaced, with the right to object. Email privacy@kaanha.ai.

Vulnerability Management & Penetration Testing

  • Dependency scanning: npm audit --audit-level=high runs in CI on every pull request and weekly via GitHub Actions
  • Code review: required for every change merged to the main branch
  • Static analysis: linting and type-check gates on CI
  • Penetration testing: annual third-party penetration test (planned / in progress)
  • Bug bounty: responsible disclosure at security@kaanha.ai; see Responsible Disclosure below

Incident Response

  • Acknowledgement of disclosed vulnerabilities within 48 hours
  • Critical fixes targeted within 7 days of confirmation
  • Customer breach notification within 72 hours of becoming aware of a personal-data breach (per GDPR Art. 33)
  • Internal incident runbook documented at docs/incident-response.md
  • Post-incident reports delivered to affected customers, including: scope, root cause, remediation, and preventive measures
  • Status page: status.kaanha.ai for real-time service updates

Backup & Recovery

MetricValue
Backup cadenceDaily automated PostgreSQL snapshots
RPO (recovery point objective)24 hours
RTO (recovery time objective)2 hours (Railway redeploy + DB restore)
Backup encryptionAt rest, same key class as primary data
Backup retention30 days
Recovery drillsAnnual full-restore exercise
Full procedures documented at docs/backup-recovery.md.

File Upload Security

  • MIME whitelist — only allowed content types accepted
  • Magic-byte verification — file content is sniffed and matched against the declared MIME (a .png with executable bytes is rejected)
  • Size limits per file type (image, audio, video, document) tuned to channel constraints
  • Virus scanning where enabled per deployment
  • Origin validation — files served from media routes carry strict CSP and content-type headers

Compliance Roadmap

ItemStatus
SOC 2 Type II auditPlanned (target H2 2026)
ISO 27001 certificationUnder evaluation
HIPAANot currently in scope (no healthcare workloads expected)
PCI DSSNot directly handled — Stripe (PCI Level 1) processes all cards
Annual third-party penetration testPlanned / in progress
Annual recovery drillAnnual cadence

Responsible Disclosure

If you discover a security vulnerability in Kaanha AI, please report it responsibly:
  • Email: security@kaanha.ai
  • Do not open a public GitHub issue or post on social media before we’ve had a chance to investigate and remediate
Please include:
  • Description of the vulnerability
  • Steps to reproduce
  • Impact assessment
  • Suggested fix (if any)
Our commitments:
  • Acknowledge your report within 48 hours
  • Provide a resolution timeline within 5 business days for critical issues
  • Target 7 days for critical fixes
  • Credit researchers who responsibly disclose (if desired)
We do not pursue legal action against researchers acting in good faith under this policy.

Customer’s Compliance Responsibilities

Kaanha AI provides the controls — you, as the data controller for your end-users, must operate them correctly. You are responsible for:
  • Maintaining opt-in records for every contact you message via WhatsApp, SMS, or voice. Kaanha AI’s opt-in field reflects your record-keeping; the burden of proof is yours
  • Adhering to the Acceptable Use Policy (/aup) — no SHAFT content, fraud, scams, or harassment
  • Configuring AI agents responsibly — system prompts, allowed tools, knowledge-base scope. AI hallucinations or off-policy outputs caused by misconfiguration are your responsibility
  • Passing through data subject rights — when your end-users invoke GDPR / CCPA rights against you, you must propagate the action via Kaanha AI’s tools (or via privacy@kaanha.ai for assisted handling)
  • Configuring data retention to match your jurisdiction’s requirements (some jurisdictions require longer or shorter retention than our defaults)
  • Securing your team’s accounts — enabling MFA, rotating API keys, removing departed users
  • Disclosure to your end-users — your privacy notice must accurately describe your use of Kaanha AI

Cross-References

DocumentLink
Privacy Policy/privacy
Terms of Service/terms
Data Processing Agreement/dpa
Acceptable Use Policy/aup
Sub-Processors/sub-processors
AI Disclosure/ai-disclosure
Status Pagestatus.kaanha.ai
Support/support
Effective April 26, 2026. Reviewed at minimum annually and upon material changes to platform architecture, applicable law, or sub-processor list.