1 Data Encryption
Kairos Analytics uses industry-standard encryption to protect your data at all stages:
- Encryption at rest: All user data and financial records stored in our Neon PostgreSQL database are encrypted at rest using AES-256-GCM encryption, provided by Neon Database Inc.
- Encryption in transit: All data transmitted between your browser and our servers is encrypted via TLS 1.2 or higher, ensuring that your credentials and financial data cannot be intercepted during transmission.
- Bank access tokens: Plaid access tokens stored in our database are stored in encrypted form. We do not store raw bank credentials.
2 How Financial Data and Credentials are Stored and Protected
When you connect your bank account via Plaid, Kairos Analytics receives only a secure, encrypted access token — not your bank login credentials. Specifically:
- No raw credentials stored. We never store your bank username, password, PIN, or one-time passcodes. All bank authentication is handled exclusively by Plaid under their security protocols.
- Plaid tokens are encrypted. The Plaid access token we store is encrypted at the application layer before storage in our database.
- Read-only access. We request read-only access to your transaction history and account balances. Kairos Analytics cannot initiate or approve transactions on your behalf.
- Access controls. Production database access is restricted to essential platform operations. No direct user access to raw financial data is provided via the platform UI.
3 Plaid Integration
Kairos Analytics connects to your bank account through Plaid Inc., a licensed third-party data aggregator. Here is what that means for your data:
- What data is accessed: When you connect an account, Plaid shares transaction descriptions, amounts, dates, account balances, and merchant names with us. We do not receive your bank login credentials.
- How data is handled: Financial transaction data received from Plaid is stored in our encrypted Neon PostgreSQL database and used solely to provide the Kairos Analytics bookkeeping service.
- Kairos never stores raw bank credentials. All authentication is performed through Plaid's secure, encrypted token system. We cannot access your bank account directly.
- Read-only access. Our Plaid integration uses read-only permissions. We cannot initiate transfers, approve payments, or modify your bank account settings.
- Plaid's own policies apply. Your use of Kairos Analytics through Plaid is also subject to Plaid's own privacy policy and terms of service, available at plaid.com/legal.
4 Access Controls
We limit who can access your data internally:
- Production database access is restricted to essential platform operations and is not available to general engineering staff.
- Employee access to user data is limited to staff with a legitimate need for support, maintenance, or fraud prevention.
- No shared credentials. Internal systems use individual, audited access credentials — no shared passwords or generic service accounts.
- Role-based permissions. Platform features are gated by user role (admin, editor, viewer). Team founders can manage who has access to what.
All internal access is logged in an append-only audit trail for OWASP A09-2 compliance.
5 Data Breach Response and Incident Handling
In the event of a data breach affecting your personal or financial information:
- We will notify you via email within 72 hours of discovering the breach.
- Notification will include: what data was affected, what we have done in response, and what steps you can take to protect yourself.
- We will work with relevant authorities and affected third parties (including Plaid) as required by law.
- A post-incident review will be conducted and findings used to improve our security controls.
We also maintain monitoring and alerting to detect unauthorized access attempts and anomalous activity across the platform.
6 How to Request Data Deletion
You may request deletion of your account and all associated personal and financial data at any time. To do so:
- Email: Contact us at privacy@polsia.app with the subject "Data Deletion Request."
- In-app: You can also delete your account from your Account Settings page in the dashboard.
Deletion is complete within 30 days of your request. Some anonymized aggregate data may be retained after deletion for product improvement purposes, with no individual identification possible. Transaction data and Plaid tokens are removed from our systems within this window.
For urgent security matters (such as a compromised account), contact us at security@polsia.app for the fastest response.
7 Contact
For security concerns, suspected vulnerabilities, or incident reports:
We aim to respond to all security-related inquiries within 2 business days. For urgent incidents, email is the fastest path to resolution.