Skip to main content
Kamili MailMade by Kamili Labs

Last Updated: April 1, 2026

Security Practices

1. Encryption

  • In transit: All data is encrypted using TLS 1.3 for connections between your device, our servers, and email providers.
  • At rest: OAuth tokens and IMAP/SMTP credentials are encrypted with AES-256 before storage.
  • On-device: AI models and local data are stored using platform-native secure storage (Keychain on iOS/macOS, Encrypted SharedPreferences on Android, OS credential store on desktop).

2. Authentication Security

  • Password hashing: User passwords are hashed using bcrypt with a cost factor of 12.
  • JWT tokens: Short-lived access tokens (15 minutes) with secure refresh token rotation (7-day rolling expiration).
  • OAuth: Email provider connections use OAuth 2.0 where available, with tokens stored encrypted.
  • Two-factor authentication: Optional 2FA via authenticator apps (TOTP) available for all accounts.
  • Session management: HTTP-only cookies for web, encrypted storage for mobile and desktop apps.

3. Infrastructure Security

  • Hosting: Cloud-hosted with automatic scaling, redundancy, and geographic distribution.
  • Access controls: Strict role-based access control for production systems. All access is logged and audited.
  • Network security: Firewalls, DDoS protection, and network segmentation protect our infrastructure.
  • Dependency management: Automated vulnerability scanning of all dependencies with immediate patching for critical vulnerabilities.
  • Backups: Automated daily backups with encryption. Point-in-time recovery available.

4. Incident Response

We maintain an incident response plan with defined severity levels:

  • SEV-0 (Critical): Data breach or complete service outage. Response within 15 minutes. User notification within 72 hours as required by GDPR.
  • SEV-1 (High): Significant feature degradation. Response within 1 hour.
  • SEV-2 (Medium): Minor feature issues. Response within 4 hours.
  • SEV-3 (Low): Non-urgent issues. Response within 24 hours.

All incidents are reviewed post-resolution with root cause analysis and preventive action.

5. Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue, please report it to:

security@kamililabsllc.com

We will acknowledge receipt within 24 hours and work to resolve verified vulnerabilities promptly. We do not pursue legal action against researchers who follow responsible disclosure practices.