Kioku

Security

Kioku is designed for security-conscious teams running AI agents in production. Here's how we protect your data.

Authentication & Access Control

  • • API keys are SHA-256 hashed before storage — we never store raw keys
  • • Three key types (org, admin, agent) with granular permission scopes
  • • Per-agent access control — agents only see memories in their scope
  • • JWT sessions for console users with configurable expiry
  • • Key rotation and revocation with full audit trail

Data Protection

  • • All data encrypted in transit (TLS 1.3)
  • • PostgreSQL with encryption at rest on GCP
  • • Per-organization data isolation — no cross-org data leakage
  • • Sensitivity classification on every memory (public, internal, confidential, restricted)
  • • Legal hold support prevents accidental deletion of compliance-relevant memories

Trust & Safety

  • • Trust scoring on agents and memories — low-trust content is quarantined
  • • Automatic conflict resolution when agents disagree
  • • Quarantine system for suspicious or policy-violating memories
  • • Approval workflows for sensitive scope promotions

Audit & Compliance

  • • Tamper-evident audit log with hash chains — every operation is recorded
  • • Full retrieval traces showing why specific memories were returned
  • • Immutable event history for compliance and forensics
  • • Exportable audit trails

Infrastructure

  • • Hosted on Google Cloud Platform (GCP)
  • • Regular security updates and dependency scanning
  • • Rate limiting per organization to prevent abuse
  • • MCP transport security with configurable host/origin allowlists

Report a Vulnerability

If you discover a security vulnerability, please report it responsibly.

security@kioku.dev