Quietly serious about the basics.
Kelzop handles real customer conversations on real business numbers. Here’s how we treat that responsibility, without the buzzword bingo.
Encryption
TLS 1.2+ for all transport. Message bodies encrypted at rest in cloud storage and on the device’s local queue.
Access control
Role-based access (Owner, Admin, Agent, Viewer). MFA available for user accounts. Per-device credentials, revocable from the web at any time.
Audit logging
Every meaningful action (sign-ins, role changes, message sends, opt-out reversals) is recorded with actor, timestamp, and context.
Opt-out enforcement
STOP, UNSUBSCRIBE, CANCEL, END, and QUIT are detected on every inbound message and enforced at lease time so a blocked recipient can’t be messaged again.
Tenant isolation
Tenant data is strictly scoped at the database, API, and webhook level. No cross-tenant queries, ever. Periodic isolation checks in CI.
Data handling
Encrypted cloud storage with documented retention windows. Regional hosting available on request for customers with specific residency needs.
Replay protection
Device-to-cloud requests are signed with timestamps and nonces. Stale or replayed requests are rejected.
Responsible disclosure
Found something? We want to hear from you. No drama, no legal threats. Just a thank-you and a fix.
Report a security issue
If you believe you’ve found a vulnerability in Kelzop, please email us. We aim to acknowledge within one business day and work with you on disclosure timing.
We do not currently run a public bug bounty, but we genuinely appreciate responsible disclosure and credit reporters in our release notes (with permission).
Security shouldn’t be a feature flag.
It’s built into how Kelzop works.