Trust & Security
How KLNR Labs P.S.A. protects your data and the legal work you entrust to us — covering encryption, access control, EU data residency, hosting, incident response, AI-specific safeguards, human oversight, and our certification roadmap. This page applies across the KLNR product group (Search, Lexor, FRRE.ai, Sign, Comms, CoLab, AgentOS, and Bill). — DRAFT, pending legal review.
Our security philosophy
KLNR is built for professionals — lawyers, accountants, and the organisations that depend on them — who cannot afford to be wrong. Our entire product group is engineered around a single principle: evidence, not words. The same discipline applies to security. We do not ask you to trust assertions; we build verifiable controls, document them, and submit them to independent assessment.
This page describes the security and trust posture of the KLNR group operated by KLNR Labs P.S.A. (a Polish prosta spółka akcyjna), seated in Gdańsk, Poland and acting as the single data controller for the group. It covers the technical and organisational measures (TOMs) we apply, our AI-specific safeguards, and our roadmap toward formal certification.
This document is a working draft and does not itself form a contract. Binding commitments are set out in the applicable Data Processing Agreement (DPA), Terms of Service, and product documentation. Where this page conflicts with a signed agreement, the signed agreement prevails.
Encryption
We protect data in transit and at rest:
- In transit: All connections to KLNR services use TLS 1.2 or higher, with modern cipher suites and HSTS enforced on public endpoints. Internal service-to-service traffic is encrypted within our hosting environment.
- At rest: Data stored in our databases, object storage, and backups is encrypted at rest using industry-standard algorithms (AES-256 or equivalent).
- Key management: Encryption keys are managed through our cloud provider's managed key infrastructure, with access restricted to authorised systems and personnel and subject to audit logging.
- Cryptographic signing (Sign): Our e-signature product applies cryptographic signatures and trusted timestamps to documents in accordance with the eIDAS Regulation (EU) No 910/2014, producing tamper-evident, independently verifiable records.
- Sensitive secrets: API keys, OAuth tokens, and similar credentials are encrypted and isolated per tenant, never exposed in logs or to other tenants.
Access control & tenant isolation
Access to customer data is governed by least-privilege and need-to-know principles:
- Single sign-on (klnr-gate): Authentication across the KLNR group is centralised through our identity gateway, supporting strong authentication and multi-factor authentication (MFA).
- Role-based and capability-based access: Permissions are granted by role and by granular capability, so that users (and administrators) receive only the access their function requires.
- Tenant isolation: Each customer's data is logically isolated. Our data layer enforces per-tenant boundaries so that one organisation's records, tokens, and documents are never accessible to another.
- Personnel access: KLNR staff access to production systems and customer data is restricted, logged, and granted only where necessary to operate, support, or secure the service. Access is reviewed periodically and revoked promptly on role change or departure.
- Audit logging: Security-relevant events are recorded in append-only audit logs to support investigation and accountability.
Data residency & hosting (EU)
KLNR is an EU establishment, and we design for EU data residency by default:
- Primary hosting: Production data is hosted in the European Union [EU region], with infrastructure operated by a reputable cloud/hosting provider listed on our Sub-processors page.
- EU-first processing: We aim to keep storage and primary processing of customer and personal data within the European Economic Area (EEA).
- International transfers: Where a limited transfer outside the EEA is necessary (for example, certain AI model providers or support tooling), we rely on an adequacy decision or appropriate safeguards under GDPR Articles 44–49, such as the European Commission's Standard Contractual Clauses (SCCs), together with supplementary measures. All sub-processors and transfer mechanisms are disclosed on our Sub-processors page.
- Backups & retention: Backups are encrypted, access-controlled, and retained for a defined period; data is deleted or returned in accordance with the DPA and applicable law on termination.
AI-specific safeguards
KLNR's products use AI to assist professionals. Because AI introduces distinct risks, we apply controls that go beyond conventional application security:
- Human-in-the-loop by design: AI is an assistant and second pilot. A qualified professional authors the work, decides, and signs. KLNR does not present AI output as a substitute for professional judgement, and our products are built to keep the human in control of every consequential action.
- Prompt-injection defences: Content retrieved from documents, emails, web pages, and other untrusted sources is treated as data, not as instructions. We separate system instructions from untrusted content, constrain how retrieved text can influence model behaviour, and monitor for injection patterns — particularly in our AgentOS, Comms, and Search products where external content is ingested.
- Tool-permission governance (AgentOS): AI agents operate under explicit, scoped permissions. Tools and integrations are allow-listed, high-impact actions require confirmation or human approval, and an agent cannot exceed the permissions of the user on whose behalf it acts.
- Evidence-first answering & abstention: Our systems are designed to ground claims in cited sources and to abstain rather than guess when evidence is insufficient. See our Evidence & Methodology page.
- No training on your content: We do not train models on client or legal content. Your matters, documents, and communications are not used to train foundation models, ours or third parties'. Professional secrecy and attorney–client privilege are respected throughout the pipeline.
- Model-provider controls: Where we use third-party AI model providers, we contract for zero-retention or limited-retention processing and prohibit use of customer content for provider model training. Providers are listed on our Sub-processors page.
Application & infrastructure security
We apply defence-in-depth across the software lifecycle:
- Secure development: Code changes go through review; we use automated testing and dependency scanning, and we apply security patches on a risk-prioritised basis.
- Network security: Production environments are segmented, firewalled, and exposed only through hardened, monitored entry points.
- Logging & monitoring: We monitor for anomalies, errors, and security events, with alerting and an internal error-tracking capability that surfaces runtime issues quickly.
- Backups & resilience: Automated, encrypted backups support recovery; database operations are guarded against destructive changes by layered safeguards.
- Vulnerability management: We triage and remediate vulnerabilities based on severity, and we welcome external reports through our Responsible Disclosure programme.
Incident response
We maintain an incident response process to detect, contain, investigate, and remediate security incidents:
- Detection & triage: Security events are monitored and assessed for severity and scope.
- Containment & remediation: We act to limit impact, eradicate the cause, and restore secure operation.
- Notification: In the event of a personal-data breach, we will notify the competent supervisory authority and affected customers as required by GDPR Articles 33–34, and we will provide breach assistance to controllers in accordance with the DPA. We also honour applicable US state breach-notification obligations where relevant.
- Post-incident review: We conduct reviews to capture lessons learned and strengthen controls.
To report a suspected vulnerability or incident, contact [security@klnr.ai] (see Responsible Disclosure below).
Certification roadmap
We are pursuing independent assurance in a deliberate sequence — information security first, then AI management, then service-organisation assurance, alongside EU AI Act readiness. Status markers below are targets and indications of progress, not statements that a certification has been awarded.
| Framework | Scope | Status |
|---|---|---|
| ISO/IEC 27001 | Information security management system (ISMS) | [in progress — target Q[...] 20[...]] |
| ISO/IEC 42001 | AI management system (AIMS) — governance of AI development and use | [planned — target Q[...] 20[...]] |
| SOC 2 Type II | Security, availability, and confidentiality controls over time | [planned — target Q[...] 20[...]] |
| EU AI Act readiness | Risk classification, transparency, human oversight, and documentation aligned to Regulation (EU) 2024/1689 | [in progress — target Q[...] 20[...]] |
We will update this table as milestones are reached and will make summary attestations or reports available to customers under NDA where applicable.
Sub-processors
We use a limited set of vetted sub-processors (for example, hosting and infrastructure, AI model providers, email/SMS, payments, e-signature/eIDAS, KSeF, and analytics). Each is bound by data-protection terms consistent with GDPR Article 28. A current list, with role and location, is maintained on our Sub-processors page, where you can also subscribe to change notifications.
Responsible disclosure
We value the security research community. If you believe you have found a vulnerability in a KLNR product or service:
- Email [security@klnr.ai] with a clear description and steps to reproduce.
- Do not access, modify, or delete data beyond what is necessary to demonstrate the issue; respect the privacy of others.
- Give us a reasonable period to investigate and remediate before public disclosure.
We commit to acknowledge legitimate reports, work in good faith toward a fix, and refrain from pursuing legal action against researchers acting in accordance with this policy.
Regional supplement — European Union (GDPR & EU consumer law)
This supplement applies where the General Data Protection Regulation (EU) 2016/679 (GDPR) and EU/EEA/UK law apply.
- Controller: KLNR Labs P.S.A., [address], Gdańsk, Poland. Registration: [KRS], [NIP], [REGON]; share capital [share capital]. Contact [kontakt@klnr.ai].
- Data protection contact / DPO: [dpo@klnr.ai] / [privacy@klnr.ai].
- Lawful processing & roles: Where KLNR processes personal data on a customer's behalf, KLNR acts as processor under a DPA; for its own purposes (e.g., account administration, security), KLNR acts as controller.
- Data subject rights: We support access, rectification, erasure, restriction, portability, and objection under GDPR Articles 15–22, and we assist controllers in responding to such requests.
- Security of processing: Our measures are designed to meet GDPR Article 32 (technical and organisational measures appropriate to the risk).
- Breach notification: Handled per GDPR Articles 33–34 (see Incident response).
- Transfers: Governed by GDPR Articles 44–49 with SCCs and supplementary measures as needed.
- Supervisory authority: Lead authority is the Polish President of the Personal Data Protection Office (PUODO); you also have the right to lodge a complaint with your local authority.
- Consumer protection: For consumer users, EU consumer-protection rules apply, including transparency, fairness of terms, and statutory withdrawal rights where applicable.
Regional supplement — United States (CCPA/CPRA & other state laws)
This supplement applies to processing subject to US state privacy and consumer-protection laws, including the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and comparable laws in states such as Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and others as they take effect.
- Service-provider / processor role: When handling personal information on a business customer's behalf, KLNR acts as a "service provider" (CCPA/CPRA) or "processor" and processes such information only to provide the service.
- No sale or sharing: KLNR does not sell or share personal information for cross-context behavioural advertising, and does not retain, use, or disclose customer personal information outside the direct business relationship.
- Consumer rights: Where applicable, we support and assist with rights to know, access, correct, delete, and to opt out of sale/sharing and certain profiling, as provided by the relevant state law.
- Sensitive information: We limit the use of sensitive personal information to permitted purposes.
- Breach notification: We honour applicable US state data-breach notification requirements.
- Contact: US-related privacy requests may be directed to [privacy@klnr.ai].
Changes & contact
We may update this page as our products, controls, and certifications evolve. Material changes will be reflected here and, where appropriate, communicated to customers.
Effective date: [effective date]. Security: [security@klnr.ai] · Privacy/DPO: [privacy@klnr.ai] / [dpo@klnr.ai] · General: [kontakt@klnr.ai].