Security at Kiavi
How we protect your users and your data, in plain language.
Your data stays in the EU
Authentication instances, databases, and signing keys are hosted on Scaleway in Paris (fr-par). Static assets are served by Bunny CDN over EU edge locations. We do not depend on Big Tech cloud providers, and your users' data does not leave the European Union. Additional EU regions are on the deployment roadmap.
Real per-tenant isolation, not a shared user table
Every customer application gets its own dedicated authentication endpoint, its own dedicated PostgreSQL database on Scaleway, and its own JWT signing secret stored in a per-tenant Scaleway Secret. There is no shared user table, no shared signing key, and no cross-tenant query path. A compromise in one tenant cannot reach another.
Passwordless by default
Kiavi is passkey-first, with email one-time codes and OAuth social login alongside. Password-based login is disabled: we do not store, hash, or accept passwords. The result is fewer phishing surfaces, no password reset flows, and a login experience that is faster than the legacy alternatives.
Encryption in transit and at rest
All traffic is served over TLS, enforced at the edge by our CDN. Databases run on Scaleway with encryption-at-rest enabled, and per-tenant signing secrets live in Scaleway Secret Manager, never in environment variables in plaintext and never hard-coded in our application code.
Built on a proven open source core
Our authentication engine is Better Auth, a widely used open source library that you can audit, fork, and self-host if you ever need to. We add the operational layer most teams build themselves: a managed deployment per tenant, a user management UI, daily and monthly active user dashboards, and a structured audit log. Open source where it counts; managed where it should be.
Full audit log of every authentication event
Sign-ins, sign-outs, passkey registrations, OAuth connections, admin actions, and failed login attempts are all written to a structured audit log with IP and user-agent context. You can review activity in the management UI, watch DAU and MAU trends in real time, and meet evidence-collection requirements for your own compliance program.
Rate limiting and abuse protection
Public authentication endpoints are rate limited per identifier and per IP to keep credential stuffing and brute-force attempts from making it through. API keys issued by your tenant are rate limited independently so a noisy integration cannot affect end-user logins.
Incident response and breach notification
In the event of a security incident affecting your tenant, we notify you in line with GDPR Article 33, within 72 hours of becoming aware, with the scope, the affected data categories, and the remediation we have taken. Our internal response procedures are being formalised into a published playbook as part of our compliance roadmap.
Compliance and certifications
Kiavi is GDPR compliant by design. We sign a default Data Processing Agreement with every customer and publish our complete subprocessor list. We are at the start of our formal certification journey for ISO 27001 and SOC 2 Type II. Until those certificates are issued we will not claim them; the controls behind them, however, are already in place.
Report a vulnerability
Found a security issue? Please email security@kiavi.eu. Do not open a public GitHub issue. We respond within one business day.