Security & Control

Enterprise-Grade Protection with Complete Transparency

Kaman is built with security at its core, providing the robust controls enterprises need while maintaining the transparency and usability your teams require. With multi-scope permissions, comprehensive audit logging, and Observatory telemetry, you have complete visibility into all operations.

Security Architecture

Authentication & Identity

Flexible Authentication Options

Support for your organization's identity management:

Method	Description
Single Sign-On (SSO)	Integrate with your identity provider (SAML, OIDC)
Username/Password	Traditional authentication with strong password policies
Multi-Factor Auth	Additional verification via authenticator apps or SMS
API Keys	Secure programmatic access for integrations
OAuth 2.0	Token-based authentication with refresh support

Identity Provider Integration

Connect to existing identity systems:

Microsoft Azure AD / Entra
Google Workspace
Okta
Auth0
Custom SAML/OIDC providers

Session Management

Control how users interact with the platform:

Configurable session timeouts
Concurrent session limits
Session revocation capabilities
Activity-based session extension
JWT-based token management

Connected Identities

Link external platform accounts to Kaman user identities for seamless cross-channel authentication:

How It Works:

Users link external accounts from Settings > Connected Identities
Verification flows (phone, email OTP) ensure ownership
When a message arrives on a channel, the platform automatically resolves the sender's identity
Resolved users inherit their Kaman permissions, credits, and conversation context
Supports Telegram, WhatsApp, Slack, Discord, Teams, Email, and more

Multi-Scope Access Control

Hierarchical Permission Scopes

Kaman implements a sophisticated multi-scope permission model:

Scope	Access	Use Cases
Global	All users across all organizations	Platform-wide settings, shared models
Client/Organization	All users in an organization	Company-wide policies, shared resources
Role	Users with specific roles	Department-specific access
Private	Individual user only	Personal settings, private data

Resolution Priority: Private → Role → Client → Global

Role-Based Access Control (RBAC)

Define what users can do based on their role:

Permission Levels

Granular control over platform capabilities:

Permission	Description
View	See data and resources
Execute	Run workflows and queries
Edit	Modify configurations and data
Admin	Full control including user management
Delete	Remove data and resources

Data-Level Security

Control access at the data level:

Capabilities:

Row-Level Security - Users see only relevant records
Column Masking - Hide or partially redact sensitive fields
Dataset Permissions - Control access to entire datasets
Dynamic Filtering - Rules that adapt to user context

Multi-Tenant Isolation

Organization Boundaries

Each organization's data is completely isolated:

Isolation Guarantees:

Data stored in separate logical partitions
No cross-organization data access
Independent configuration and customization
Separate credential management per organization

Team Segmentation

Within an organization, further segment access:

Department-based data access
Project-specific permissions
Geographic restrictions
Functional role separation

Data Protection

Encryption

Comprehensive encryption for your data:

State	Protection
At Rest	AES-256-GCM encryption for stored data
In Transit	TLS 1.3 for all network communication
Credentials	AES-256-GCM with secure key management
Backups	Encrypted backup storage

Credential Management

Secure handling of connection credentials:

Credential Management Features:

Multi-scope credential profiles (User, Team, Org)
Universal OAuth Manager - single, unified OAuth flow for all integrations (Google, Zoho, Outlook, and more)
Automatic token refresh and rotation
No plaintext credential storage
Field-type specific handling (OAuth, OIDC, API Key, Basic)
Token normalizer handles provider-specific quirks automatically
Service-to-service authentication via internal service keys

Data Loss Prevention

Prevent unauthorized data exposure:

Export controls and approvals
Sensitive data detection
External sharing controls
Query result limits

Observatory Telemetry

Real-Time Visibility

Kaman's Observatory system provides comprehensive operational visibility:

Tracked Metrics:

Category	Metrics
Performance	TTFT (Time to First Token), latency, throughput
Quality	Response ratings, evaluation scores
Usage	Token consumption, API calls, active users
Errors	Error rates, failure patterns

Conversation Tracking

Every AI interaction is logged:

Session and conversation IDs
Message content and metadata
Tool calls and results
Response quality scores
User feedback

Audit & Compliance

Comprehensive Audit Logging

Every action is recorded:

Event Type	Information Captured
Authentication	Login attempts, session creation, MFA events
Data Access	Queries, views, downloads
Configuration	Settings changes, user management
Workflow	Execution, approvals, modifications
AI Actions	Assistant interactions, sub-agent spawns, tool calls
Integrations	Connection usage, sync operations

Audit Trail Details

Each audit record includes:

Who - User identity and role
What - Specific action taken
When - Timestamp with timezone
Where - IP address, device information
Why - Request context and reason (where applicable)
Result - Success/failure and outcome

Compliance Support

Built-in support for regulatory requirements:

Compliance Features:

Data retention policies
Privacy impact assessments
Automated compliance reports
Evidence collection for audits
OpenLineage for data lineage

Operational Security

Infrastructure Security

Platform infrastructure is hardened:

Regular security patching
Vulnerability scanning
Penetration testing
DDoS protection
Container security

Observability Stack

Comprehensive monitoring with:

Component	Purpose
Grafana	Visualization and dashboards
Loki	Log aggregation
Tempo	Distributed tracing
Alloy	Metrics collection

Network Security

Secure network architecture:

Private network isolation
Firewall rules
IP allowlisting options
VPN connectivity support
TLS everywhere

Monitoring & Response

Continuous security monitoring:

Monitoring Capabilities:

Real-time security event analysis
Anomaly detection
Automated threat response
Security incident reporting

Control & Governance

Approval Workflows

Require human approval for sensitive operations:

Privileged access requests
Data export requests
Configuration changes
New integrations
Sub-agent spawning (optional)

Policy Enforcement

Automatically enforce organizational policies:

Password complexity requirements
Session timeout rules
Data classification enforcement
Acceptable use policies
Rate limiting

Change Management

Control how the platform evolves:

Configuration version control
Change approval processes
Rollback capabilities
Impact assessment

Security Best Practices with Kaman

For Administrators

Implement Least Privilege - Use multi-scope permissions to grant minimum necessary access
Enable MFA - Require multi-factor authentication
Regular Access Reviews - Periodically review user access across all scopes
Monitor Observatory - Watch for unusual activity in telemetry

For Users

Protect Credentials - Never share passwords or API keys
Report Suspicious Activity - Alert security team to concerns
Follow Data Policies - Handle data according to classification
Lock Unattended Sessions - Secure your workstation

For Developers

Use API Keys Securely - Rotate regularly, never hardcode
Validate Inputs - Prevent injection attacks
Encrypt Sensitive Data - Use platform encryption features
Follow Secure Coding - Apply security best practices

Security & Control - Enterprise protection with multi-scope permissions and complete transparency