Karmaflow
Login

Enterprise Security

Trust and control,
built into execution.

Karmaflow enforces identity, policy, and approval controls inside the same runtime where your workforce acts — anchored in Canadian infrastructure and Google Cloud’s defense-in-depth model.

Download Security OverviewTalk to our AI bouncers
  • Canadian data residency
  • Google Cloud security framework
  • Zero Trust internal access
  • Encryption at rest & in transit

Compliance posture

Compliance at a glance

A snapshot of the controls and practices in place across the platform today.

Active

Canadian data residency

Core databases and processing in Montréal, Québec.

Active

Google Cloud security framework

Infrastructure aligned to Google’s enterprise security baseline.

Active

Google Workspace Enterprise

Identity, access, and endpoint management for all internal systems.

Verified

Vetted subprocessors

Independently audited AI infrastructure partners under DPAs.

Ongoing

Continuous assurance

Internal controls reviewed and tested on a documented cadence.

Data governance

Residency on your terms

Canadian customers run on Canadian infrastructure by default — covered by PIPEDA. We accommodate alternative regions and regulatory frameworks for customers with specific requirements.

Primary residency
  • Canada · MontréalDefault · PIPEDA
  • European UnionOn request
  • United StatesOn request
  • Customer-specified regionOn request
Primary data — stays in region

Canada · Montréal by default · alternative regions on request

  1. 01Member & client PII
  2. 02Conversation logs & analytics
  3. 03Business intelligence data
  4. 04Application databases
  5. 05Audit logs & access records
Inference — always transient

AI APIs · no retention · no training, regardless of region

  1. 01LLM inference via OpenAI API
  2. 02LLM inference via Google AI API
  3. 03Voice synthesis via Cartesia
  4. 04Speech recognition via Deepgram
  5. 05No subprocessor retains or trains on data

Compliance frameworks: PIPEDA covered by default for Canadian customers. GDPR-aligned handling, customer-specific obligations, and reduced-retention requirements are accommodated through your Data Processing Agreement.

Subprocessors

Vetted AI infrastructure partners

A limited set of independently audited providers, each bound by Data Processing Agreements that prohibit retention or use of client data for training.

SubprocessorRoleData location
OpenAILarge language model inference (GPT series)USA
Google AI (Gemini)Large language model inference (Gemini series)USA
DeepgramReal-time speech-to-text recognitionUSA
CartesiaNeural text-to-speech voice synthesisUSA
LiveKitReal-time WebRTC voice infrastructureUSA
TwilioSMS & voice communications deliveryUSA
MailgunTransactional email deliveryUSA

API communications are encrypted in transit using TLS 1.3. Clients may request access to logs pertaining to their account or negotiate reduced retention windows where supported.

Runtime controls

Prevent → Control → Observe

The same loop runs around every agent action: stop what shouldn’t happen, route what needs review, and record everything that does.

Prevent

Screen inputs, evaluate policy gates, verify scope, and block unauthorized actions before execution.

  • Scope checks
  • Policy match
  • Risk thresholds
  • Data class rules

Identity, infrastructure & encryption

Zero Trust posture, end to end

Every access decision — to infrastructure, data, or systems — is authenticated, authorized, and logged. Identity is the perimeter.

P/01

Identity & access

  • SSO enforced across all internal systems
  • Phishing-resistant MFA (FIDO2 / hardware keys)
  • Context-aware policies — device, IP, risk signals
  • Least-privilege; privileged access reviewed quarterly
P/02

Cloud infrastructure

  • VPC Service Controls isolate sensitive perimeters
  • IAM scoped by function — no shared credentials
  • Cloud Armor WAF + DDoS mitigation on public endpoints
  • Container signing & continuous misconfiguration scans
P/03

Encryption & secrets

  • AES-256 at rest via Google Cloud KMS
  • TLS 1.3 enforced on all communications
  • Secrets in Google Secret Manager — never in code
  • Database access encrypted; no direct public exposure
P/04

Operational discipline

  • No offshore personnel — all team members in Canada
  • Background screening prior to onboarding
  • Annual security awareness training for all staff
  • Documented Incident Response Plan, tested annually

Documentation

Download the Platform Security Overview

A 5-page briefing covering infrastructure, data governance, subprocessors, identity controls, and organizational security practices — written for security and procurement teams.

  • Compliance & certification posture
  • Cloud architecture & Canadian residency model
  • Subprocessor relationships and DPAs
  • Identity, access, and encryption controls
  • Organizational practices: people, process, policy
Download PDFRequest a security review session →

Built for enterprise trust from day one.

Autonomy with boundaries. Trust with visibility.

Platform featuresRequest a demo
See Integrations (MCP)Review DPA resourcesSubprocessor list