Security policy
Our security practices and how to report a vulnerability responsibly.
Our practices
Aagman is a thin-client kiosk system. The kiosk hardware runs no servers and holds no long-lived credentials. All visitor data and application logic run on Kaizen Labs cloud infrastructure.
- Visitor records and photos are stored in AWS ap-south-1 (Mumbai). Data does not leave India.
- Published media assets (avatar clips, audio) are served from Cloudflare R2.
- Transport is TLS 1.2 or higher on all connections between kiosk, gateway, and database.
- Access to visitor records is role-based (RBAC) and every view is audit-logged.
- Credentials are not stored on the kiosk device. The kiosk uses short-lived tokens refreshed on each session.
- We follow OWASP secure-development guidance and apply security patches promptly.
Formal certifications (SOC 2 Type II, ISO 27001) are on our roadmap. We do not currently claim them. See Trust & Security for the full picture.
Scope
The following are in scope for responsible disclosure:
- kaizenlabs.co.in and its subdomains
- Aagman control plane (apps.kaizenlabs.co.in)
- Kiosk activation and bundle-fetch APIs
- Visitor record storage and access-control logic
Third-party services (WhatsApp, Cloudflare, AWS) are out of scope. Report those directly to the vendor.
Responsible disclosure
If you find a security vulnerability in our systems, please tell us before disclosing it publicly so we can fix it first. We follow coordinated disclosure.
- 1Email security@kaizenlabs.co.in with a clear description of the issue, steps to reproduce, and any proof-of-concept. Do not access or exfiltrate data beyond what is needed to demonstrate the vulnerability.
- 2We acknowledge receipt within 1 business day.
- 3We target a fix or written status within 5 business days, depending on severity. We will keep you updated throughout.
- 4We will acknowledge your contribution in the fix announcement, unless you prefer to remain anonymous.
Response targets
Acknowledgement
1 business day
Fix or status update
5 business days
Customer notification
On confirmed impact