Security at KALIRA

KALIRA runs on Supabase, which is hosted on Amazon Web Services (AWS). Supabase maintains SOC 2 Type II compliance. All data is stored in PostgreSQL databases with automated failover and high-availability configuration.

Application hosting is provided by Vercel, with edge-optimized delivery and automatic HTTPS.

Data at rest is encrypted using AES-256. Data in transit is encrypted using TLS 1.2. Database connections require SSL. File uploads (inspection photos, certificates, documents) are stored in encrypted object storage with per-tenant access controls.

Authentication is handled by Supabase Auth. Passwords are hashed using bcrypt with a cost factor of 10. Session tokens are signed JWTs with configurable expiration.

Enterprise plans support Single Sign-On (SSO) via SAML 2.0 with SHA-256 signing, enabling integration with identity providers such as Azure AD, Okta, and Google Workspace.

Every database table enforces Row Level Security (RLS). Tenant isolation is enforced at the database level. Queries are filtered by organization ID before execution, not in application code. Organization A cannot access, query, or infer the existence of Organization B's data.

KALIRA data is currently hosted in the Singapore (ap-southeast-1) region. We are evaluating an Indonesia-region option (Jakarta) for customers with in-country data residency requirements. Enterprise customers can discuss data residency requirements during onboarding.

KALIRA uses role-based access control (RBAC) with the principle of least privilege. Roles include organization admin, safety manager, inspector, data manager, IT admin, gate officer, and asset viewer. Each role has a defined set of permissions. An inspector cannot modify billing settings, a gate officer cannot access asset management.

Permissions are enforced at both the API and database level. UI-level restrictions alone are never relied upon for security.

All actions in KALIRA are logged with timestamp, user identity, and IP address. Completed inspections and issued certificates are append-only. They cannot be edited or deleted after finalization. This immutability is enforced at the database level, not the application level.

Audit logs are available for export on Compliance and Enterprise plans.

Automated database backups run daily with 30-day retention. Point-in-time recovery is available for restoring data to any moment within the retention window. Backups are stored in a separate availability zone from the primary database.

Security incidents are acknowledged within 24 hours and targeted for resolution within 72 hours. Affected customers are notified directly via email. Post-incident reports are provided for Enterprise customers.

KALIRA is designed to comply with the Indonesian Personal Data Protection Law (UU PDP No. 27 Tahun 2022) and the EU General Data Protection Regulation (GDPR). We are working toward ISO 27001 certification.

Our infrastructure provider (Supabase) maintains SOC 2 Type II certification. Supabase's compliance documentation is available upon request.

If you discover a security vulnerability, report it to security@kaliratech.com. We take all reports seriously and will respond within 48 hours. We do not pursue legal action against researchers who report vulnerabilities in good faith.