Skip to content

Security and Sealed Tenancy

Commercial data is competitive data. Every row is isolated by database-enforced row level security, and your data is never used to train models.

Start freeRead the DPA

How tenancy is sealed

Kabaido is built tenant-isolated from the first table.

Every row is organisation-scoped with database-enforced row level security. The filter lives in the database itself and applies to every query, not in application code that has to remember to add it.

Storage follows the same rule. Paths are tenant-prefixed, so every file an organisation uploads or generates sits under its own prefix and nowhere else.

Every account runs this way. The tiers below are for organisations that need to go further.

Diagram of organisation-scoped rows filtered by row level security and tenant-prefixed storage pathsOrganisation-scoped rowsdatabase-enforced row level securityidtitletotalorg_idorg-aorg-borg-aorg-brows your session can readrows the policy filters outTenant-prefixed storageorg-a/your organisation's filesorg-b/outside your prefix, never served

Enterprise

Sealed Tenancy tiers

Standard is how every account runs. Sealed and Sovereign are Enterprise conversations: dedicated project isolation and customer-held keys.

The Standard, Sealed and Sovereign tenancy tiers compared
PracticeStandardSealedSovereign
AvailabilityEvery accountEnterpriseEnterprise
Database-enforced row level securityIncludedIncludedIncluded
Tenant-prefixed storageIncludedIncludedIncluded
TLS in transit and AES-256 at restIncludedIncludedIncluded
What it addsThe baseline aboveDedicated project isolationCustomer-held keys
Talk to us

Enterprise plans carry custom allowances and caps.

Foundations

Built on certified infrastructure

Our own ISO 27001 and SOC 2 programmes are on the roadmap, and we say so plainly. The ground Kabaido runs on is already there: every provider that touches your data holds the certifications a security review asks for.

Kabaido is assembled from a small set of specialist providers, each audited by independent assessors and recertified every year. Hosting, the database, payments, the AI runtime and email each come from a company whose security is verified to a recognised standard.

Your data sits in the United Kingdom region of this infrastructure. We name every provider in the data processing agreement, the same five below. None are added without telling you.

We publish what we run rather than badges we have not yet earned.

Diagram of a tenant-isolated Kabaido application running on independently certified providers, hosted in the United Kingdom regionYour organisation's dataRow level security, tenant-prefixed storage, encrypted at restVercelHostingSupabaseDatabaseStripePaymentsAnthropicAIResendEmailIndependently certified to recognised standardsSOC 2 Type IIISO 27001ISO 42001PCI DSSHIPAAHosted in the United Kingdom region

  • Vercel

    Application hosting and edge delivery

    • SOC 2 Type II
    • ISO 27001
    • PCI DSS
    • HIPAA

  • Supabase

    Postgres database and file storage

    • SOC 2 Type II
    • ISO 27001
    • HIPAA

  • Stripe

    Payments and billing

    • PCI DSS Level 1
    • SOC 2 Type II
    • ISO 27001

  • Anthropic

    AI runtime, zero retention

    • SOC 2 Type II
    • ISO 27001
    • ISO 42001
    • HIPAA

  • Resend

    Transactional email

    • SOC 2 Type II

Certifications are held by the named providers and renewed on their own audit cycles. Each provider publishes its reports through its trust centre on request.

Compliance

Compliance across the UK, the EU and the US

Kabaido is a United Kingdom service. Wherever you and your customers operate, the rules that apply to commercial data are covered.

Your data resides in the United Kingdom and is governed by UK GDPR and the Data Protection Act 2018. For the business data you load you are the controller and Kabaido is the processor.

The UK holds a renewed EU adequacy decision that runs to December 2031, so personal data moves freely between the European Economic Area and the United Kingdom. Where a transfer needs a further safeguard, Standard Contractual Clauses with the UK Addendum cover it.

We do not sell personal data and the website carries no advertising trackers.

Diagram of customer data resident in the United Kingdom, flowing freely to the European Economic Area under adequacy and to the United States under safeguards, governed by UK GDPR and the Data Protection Act 2018European Economic AreaPersonal data flows freelyUnited StatesTransfers under safeguardsAdequacy to 2031SCCs and UK AddendumUnited Kingdomdata residencyUK GDPR and the Data Protection Act 2018
  • UK

    United Kingdom

    UK GDPR and the Data Protection Act 2018

    • Your primary data and file storage reside in the United Kingdom.
    • You are the data controller; Kabaido is the processor of the data you load.
    • Access, correction, erasure, portability and objection requests are honoured.
    • The ICO is the supervisory authority, and you can raise a concern with it.
  • EU

    European Union and EEA

    EU GDPR, recognised adequacy

    • EU GDPR governs the personal data of people in the EU and EEA.
    • A renewed adequacy decision lets data flow freely between the EEA and the UK to December 2031.
    • Onward transfers are covered by Standard Contractual Clauses where they are needed.
  • US

    United States

    State privacy laws

    • The California Consumer Privacy Act, CPRA and comparable state laws are honoured for the people they cover.
    • We do not sell personal data and the website runs no advertising trackers.
    • Transfers to US-based providers use Standard Contractual Clauses with the UK Addendum.
Read the compliance documentationPrivacy policy

Practices, not badges

What we run today, stated plainly. Your IT reviewer and your MD should clear this page in one read.

Encryption
TLS in transit and AES-256 at rest.
Integration credentials
Application-layer encryption for integration credentials, on top of encryption at rest.
Your data is yours
No training on customer data. The AI provider is configured for zero retention, set out in the data processing agreement.
UK hosting
Your primary data and file storage reside in the United Kingdom region of our infrastructure providers.
Access and audit
Role-based access for your team, with administrative actions recorded in an audit log.
Incident response
If something goes wrong, we notify affected customers without undue delay and document our response.
Full export anytime
Take a complete export of your data whenever you ask.
Deletion on request
Ask us to delete your data and we remove it. On cancellation we delete or return it.
Sub-processors
Supabase, Vercel, Stripe, Resend and Anthropic, named as in the data processing agreement.
Assurance roadmap
ISO 27001 and SOC 2 programmes are on the roadmap; we publish practices today rather than badges.
Read the security documentationPrivacy policy

Signed, so you can check

Every webhook delivery carries the X-Kabaido-Signature header: a timestamp and an HMAC SHA-256 of the timestamp and body, retried five times if your endpoint is down. The payload envelope names the organisation it belongs to, the same scoping the database enforces.

Quotes API
Request
POST your endpoint, event quote.sent
Response

quote.sentQ-26-00023£607.20signed

Signed t=<unix>,v1=<hex hmac sha256 of "t.body"> in the X-Kabaido-Signature header.

Built tenant-isolated from the first table

No card to start and a full export whenever you ask.

Start freeSend a real RFQ

Security disclosures: hello@kabaido.com. A human replies, usually within one working day.