Security

We design the platform to collect the minimum we need and to give customers genuine deployment choices. The most security-aware customers run KolossusAI inside their own infrastructure, where their data never leaves their network.

• On-premise: KolossusAI runs entirely inside your data centre or private cloud. Data does not leave your environment.
• Private cloud (single-tenant): a dedicated KolossusAI deployment in a region you choose, with isolated storage and compute.
• Managed (multi-tenant): hosted on Indian infrastructure with strict per-tenant isolation at the database, storage, and request layers.

• All connections to our APIs and dashboards use TLS 1.2 or higher.
• Customer data at rest is encrypted using AES-256 or stronger equivalents on every supported deployment shape.
• Connector credentials and API tokens are stored in dedicated secret stores, never in application databases.

• Production access is restricted to a small number of named partners and engineers, on hardware-key-protected accounts.
• All production access is logged, time-bounded, and reviewed.
• Customer-facing access is governed by role-based permissions configurable per deployment.
• We do not look at customer business data unless you ask us to (typically for support, debugging, or POC scoping) and we record when we do.

Even on the managed deployment, every customer has logically isolated storage, isolated query execution, and tenant-tagged audit trails. We do not use your data to train models that serve other customers.

Managed deployments take encrypted, region-local backups on a rolling schedule. Backup retention windows and recovery objectives are documented per deployment in your service agreement.

On-premise and private-cloud customers are responsible for backup policy in their own environment; we provide guidance and tooling.

Production environments are monitored for availability, error rates, and unusual access patterns. Significant security incidents trigger our incident response process, which includes immediate containment, investigation, and customer notification within timelines required by Indian law and our service agreements (typically within 72 hours of confirmed breach).

We rely on a small number of carefully chosen sub-processors for cloud infrastructure, transactional email, and error tracking. Each is bound by a data processing agreement aligned with the commitments in our Privacy Policy.

A current list is available on request - email us and we'll send it the same day.

• All partners and engineers sign confidentiality undertakings before joining.
• Background checks are run for roles with production access.
• We use single sign-on with enforced multi-factor authentication for internal tools.
• On exit, access is revoked the same day.

KolossusAI's controls are designed to be consistent with the Digital Personal Data Protection Act, 2023 (India), and standard SaaS security practice (ISO 27001 control families). We are happy to share our security questionnaire responses for procurement and vendor onboarding - request via connect@kolossus.ai.

Responsible disclosure is welcome and appreciated. If you discover a security issue, email connect@kolossus.ai with the subject line "Security report". We'll acknowledge within one working day and work with you on a timeline for remediation and public credit, if you want it.

Please do not test against production systems in ways that could affect availability or other customers.