Trust & Security

Premium means disciplined.

Kleos calls real people on behalf of real businesses, so trust is the product. Here is exactly how we keep partner data isolated, outreach compliant, and the AI honest.

Compliance is a product gate

No documented lawful basis, no call. Every campaign passes consent verification, DNC/suppression screening, local calling-window checks, and AI-disclosure rules before a single dial. Compliance is enforced in the product, not left to the operator.

Your data is isolated

Every partner's prospects, calls, and transcripts are separated by row-level security. One partner can never read another partner's data — isolation is enforced at the database, not just the UI.

Least privilege by design

Privileged operations run server-side with a separate service role. Kleos's research and QA automation can prepare and report, but can never launch calls, change consent or suppression, or touch billing on its own.

Encrypted and minimal

Sensitive tokens (like calendar OAuth) are encrypted at rest with AES-256-GCM, and everything is served over TLS. On a connected calendar we read only free/busy and write the single booked event — never your event titles or attendees.

Safe by default

Every external lane — calling, SMS, email, billing, number provisioning — ships off and stays off until it is explicitly enabled with a hard flag and real credentials. Secrets are never committed to the codebase.

Learning under human review

Transcripts are redacted before anything is retained. No model change reaches production until it passes Kleos's evaluation gates and a human approves it. Nothing silently mutates live behavior.

Honest AI

The assistant never claims to be a specific human and never denies being AI when asked. It identifies the business it calls for, gives a valid callback path, and honors an opt-out immediately.

Consent and suppression, kept

Consent — its wording, source, and any revocation — is recorded in a ledger. Opt-outs are retained as suppression records rather than deleted, so a person who opts out keeps being honored across every future campaign.

Subprocessors

  • Retell AI — AI voice orchestration
  • Twilio — telephony & SMS
  • Google & Microsoft — calendar free/busy
  • Stripe — billing & payments
  • Resend — transactional email
  • Anthropic — LLM for research & coaching
  • Supabase — database & auth
  • Vercel — application hosting

Each is bound by data-protection terms. Full terms are in the Data Processing Addendum.

Your data rights

Access, correction, deletion, and objection to direct marketing are covered in the Privacy Policy. How the AI discloses itself and how to opt out is on the AI Disclosure page.

Report a vulnerability

Found a security issue? We want to hear from you: security@kleos.click. Please give us a reasonable window to remediate before any public disclosure.