Trust & Security

Security policy

Our security practices and how to report a vulnerability responsibly.

Our practices

Aagman is a thin-client kiosk system. The kiosk hardware runs no servers and holds no long-lived credentials. All visitor data and application logic run on Kaizen Labs cloud infrastructure.

  • Visitor records and photos are stored in AWS ap-south-1 (Mumbai). Data does not leave India.
  • Published media assets (avatar clips, audio) are served from Cloudflare R2.
  • Transport is TLS 1.2 or higher on all connections between kiosk, gateway, and database.
  • Access to visitor records is role-based (RBAC) and every view is audit-logged.
  • Credentials are not stored on the kiosk device. The kiosk uses short-lived tokens refreshed on each session.
  • We follow OWASP secure-development guidance and apply security patches promptly.

Formal certifications (SOC 2 Type II, ISO 27001) are on our roadmap. We do not currently claim them. See Trust & Security for the full picture.

Scope

The following are in scope for responsible disclosure:

  • kaizenlabs.co.in and its subdomains
  • Aagman control plane (apps.kaizenlabs.co.in)
  • Kiosk activation and bundle-fetch APIs
  • Visitor record storage and access-control logic

Third-party services (WhatsApp, Cloudflare, AWS) are out of scope. Report those directly to the vendor.

Responsible disclosure

If you find a security vulnerability in our systems, please tell us before disclosing it publicly so we can fix it first. We follow coordinated disclosure.

  1. 1Email security@kaizenlabs.co.in with a clear description of the issue, steps to reproduce, and any proof-of-concept. Do not access or exfiltrate data beyond what is needed to demonstrate the vulnerability.
  2. 2We acknowledge receipt within 1 business day.
  3. 3We target a fix or written status within 5 business days, depending on severity. We will keep you updated throughout.
  4. 4We will acknowledge your contribution in the fix announcement, unless you prefer to remain anonymous.

Response targets

Acknowledgement

1 business day

Fix or status update

5 business days

Customer notification

On confirmed impact

Questions or a vulnerability to report?

Email security@kaizenlabs.co.in