Last updated: December 27, 2025
Kalypso takes data security seriously. We implement comprehensive technical and organizational measures to protect your information from unauthorized access, loss, misuse, or alteration.
2.1 Encryption
• Data in transit: TLS 1.3 / SSL encryption for all data transmitted between your browser and our servers
• Data at rest: AES-256 encryption for stored data
2.2 Access Controls
• Multi-factor authentication (MFA) for all team members
• Role-based access control (RBAC)
• Principle of least privilege
• Regular access audits
2.3 Infrastructure Security
• Secure, monitored data centers
• Firewall protection
• Intrusion detection systems
• Regular vulnerability scanning
2.4 Application Security
• Secure coding practices
• Regular security testing and penetration testing
• Dependency scanning and updates
• Input validation and sanitization
3.1 Employee Training
All team members receive regular security and privacy training.
3.2 Confidentiality Agreements
All employees and contractors sign strict confidentiality and non-disclosure agreements.
3.3 Background Checks
We conduct background checks on all personnel with access to sensitive client data.
3.4 Incident Response Plan
We maintain a documented incident response plan to quickly address any security breaches.
Client data is logically segregated and isolated. Each client's corpus is stored separately with dedicated access controls. We do not mix or cross-reference data between clients.
5.1 Primary Infrastructure
All client data is stored and processed on servers located in Switzerland, benefiting from Swiss data protection laws—among the strictest in the world.
5.2 Why Switzerland?
• Not subject to US Cloud Act or FISA surveillance
• Strong privacy laws with constitutional protection
• No mandatory data retention laws
• EU adequacy decision for GDPR compliance
5.3 Custom Deployment Options
For clients with specific sovereignty requirements, we can discuss:
• On-premises deployment
• Private cloud in your preferred jurisdiction
• Air-gapped environments
6.1 Automated Backups
We perform regular automated backups of all client data.
6.2 Disaster Recovery
We maintain a disaster recovery plan with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
6.3 Backup Encryption
All backups are encrypted using the same standards as production data.
We carefully vet all third-party service providers and require them to meet our security standards. We maintain Data Processing Agreements (DPAs) with all subprocessors.
Kalypso is committed to compliance with:
• GDPR (General Data Protection Regulation)
• Swiss FADP (Federal Act on Data Protection)
• CCPA (California Consumer Privacy Act)
8.1 Industry Best Practices
While we do not currently hold formal certifications, we implement security controls aligned with ISO 27001 and SOC 2 frameworks.
8.2 Swiss Data Center Standards
Our Swiss infrastructure partners maintain Tier III+ data center certifications and Swiss banking-grade security standards.
In the unlikely event of a data breach, we will:
• Notify affected clients within 72 hours
• Provide details of the breach and affected data
• Outline remediation steps taken
• Comply with all applicable breach notification laws
While we implement strong security measures, you also play a role in protecting your data:
• Use strong, unique passwords
• Enable multi-factor authentication where available
• Do not share login credentials
• Report suspicious activity immediately
We conduct regular internal security audits and periodic third-party penetration tests to identify and remediate vulnerabilities.
If you discover a security vulnerability, please report it to us immediately at:
security@kalypsohq.com
We appreciate responsible disclosure and will work with you to address any issues promptly.
For questions about our security practices, contact us at:
security@kalypsohq.com