Security & GDPR

Built for the data you can't afford to lose.

Kairos touches your POS, your invoices and your P&L. Here is exactly how that data is handled, where it lives, and what stays under your control — the things a multi-venue group's procurement team needs before signing.

GDPR from day one

Built in Spain under EU law. Kairos acts as a data processor on your operational data; you remain the controller. A full Data Processing Agreement is in place with every client.

Encryption & access control

Data encrypted in transit (TLS) and at rest. Role-based access control via Clerk. Guest-review PII is redacted before any LLM processing — models never see reviewer identities.

EU-based infrastructure

Application database, object storage and LLM inference run on EU infrastructure. The few US processors are EU-US DPF certified or covered by Standard Contractual Clauses.

Your data stays yours

We never sell, share, or use your data to train models for other clients. You can export or delete everything at any time — operational data is retained for the contract duration plus one year, then removed.

Subprocessors

Every third party in the data path, with what they touch and where they sit. The authoritative version lives at /subprocessors.

ProcessorPurposeDataLocation
NAN (Qwen LLM)LLM inferencePII-redacted promptsEU
ClerkAuth & RBACEmails, profileUS (DPF certified)
AWS S3PDF storageOperational PDFsEU (Frankfurt)
SentryError monitoringTraces (PII scrubbed)US (DPF certified)
Upstash RedisCache & rate limitSession tokensEU (Ireland)
Prisma PostgresApp databaseFull app dataEU
OutscraperReviews scrapingPublic review dataUS (SCCs)
ResendTransactional emailRecipient addressEU
VercelHosting & edgeRequest logsGlobal edge

Documents