Reviewed access, private by default
Signing up creates a pending-approval account; an admin reviews before any dashboard data opens. There is no path that bypasses the gate. Reviewed-access codes can fast-track trusted workspaces.
Enterprise & Security
Enterprise answers, before the questionnaire arrives.
One OS. Two engines. One production record — governed by reviewed access, least-privilege permissions, an auditable record of every action, and honest answers about what is live today and what is not.
01Security postureAuth, RBAC, audit, isolation, MFA, rate limits02Enterprise identityOIDC SSO + SCIM, code-ready, owner-configured03Data & privacySelf-serve export, DPA on request, retention04IntegrationsHonest status — live, provider hold, planned05AI safetyDrafts only. A human approves every commitment06Compliance statusHonest SOC 2 / ISO 27001 roadmap07Procurement FAQStraight answers before the questionnaire08Artifacts & proofTrust packet, DPA, subprocessors, status
Security posture
The controls, running in production.
Each item maps to a control in force today, not a promise. The full practice register — 6 of these expand into fourteen — lives on /security.
Role-based access control (RBAC)
One identity opens role-scoped workspaces. Members, substitutes, librarians, personnel managers, artists, agents, presenters, and admins each see only the records their role can safely use. Entitlements gate sensitive actions (e.g. exports require CAN_EXPORT_REPORTS).
Audit log on every transition
Every state change — request, hold, quote, contract, invoice, settlement, document open, acknowledgement, admin action, SSO enable/disable — writes to the audit log with actor, timestamp, entity, and payload diff. Both parties to an engagement see its chain.
Multi-tenant isolation
Every protected endpoint runs an ownership check before responding. Cross-workspace detail probes collapse to 404 so an attacker cannot distinguish a real record from one they cannot access. List endpoints scope queries to the caller's workspace.
MFA on privileged surfaces
Admin dashboards require both a valid session and the admin MFA gate. Sign-in is passwordless by default (magic link); enterprise workspaces can enable OIDC SSO when configured.
Rate limits + brute-force guards
Mutation endpoints carry per-actor rate limits. Public submission endpoints are limited per IP. Failed sign-in attempts are throttled and logged. CSP denies inline scripts and framing; no third-party tracking pixels load on the public site.
Enterprise identity
SSO and SCIM, code-ready and owner-configured.
The identity surfaces ship in the product. They are invisible on a default deployment and activate when your administrator supplies the configuration — no separate build, no engineering engagement.
- OIDC single sign-on — per-org, fail-closed
- Each organization configures its own OIDC identity provider (issuer, client ID, encrypted client secret, allowed email domains) from workspace settings. SSO is off by default and fails closed: the login route returns 404 when no enabled config — or no encryption key — is present, and never reveals whether a slug exists when SSO is off. The flow uses PKCE with short-lived state, nonce, and verifier cookies. Enable/disable is audited (ORG_SSO_ENABLED / ORG_SSO_DISABLED).
- SCIM 2.0 provisioning
- A per-org SCIM Users endpoint provisions and de-provisions members from your IdP using a per-org bearer token, compared timing-safe. Every SCIM read and write is scoped to the organization. On any auth failure the endpoint returns 401 without distinguishing 'unknown org' from 'bad token', so it never confirms which slugs exist.
- Activation is an owner step, not a code change
- The SSO and SCIM code paths ship in the product. They activate when your administrator supplies the IdP configuration and the deployment carries the SSO encryption key — no engineering work, no separate build. Until then the surfaces stay invisible. We do not advertise a managed SSO offering beyond this self-configured model.
Data & privacy
Your data, your control — in and out.
Export self-serve, delete on demand, and read the retention windows before you ask. The full retention table and processor list are on /privacy and /security.
- You own your data
- Your roster, relationships, and records are yours. We do not sell or share contact data, and we never use it for marketing outside Kalinklo.
- Self-serve export
- Export at any time from the reports center — 20+ tenant-scoped CSV exports across requests, bookings, quotes, contracts, invoices, settlements, collections, disputes, roster, and activity. Export requires the CAN_EXPORT_REPORTS entitlement and is scoped server-side.
- Deletion on demand
- Workspace owners can delete vault documents on demand; superseded uploads are preserved in the audit trail for integrity. Engagement business records carry legal retention obligations (below) and are handled accordingly.
- Retention, by record class
- Engagement records: life of the workspace + 7 years after closure (tax/legal). Vault documents: as long as the workspace exists, owner-deletable. Authentication events: 12 months. Health probes log no PII. The full table lives on /security.
- DPA — template now, countersignature on request
- A Data Processing Agreement template is downloadable right now (no request needed). For a countersigned copy for your organization, write to security@kalinklo.com. GDPR and HK PDPO posture is covered; EU + US database regions; subprocessors published.
- No tracking on the public site
- The public site runs no marketing analytics and loads no third-party tracking cookies. Any future first-party measurement would be disclosed in the privacy notice before launch.
Integrations
Honest status — live, provider hold, planned.
We do not list aspirational integrations as live. Calendar feeds are live and one-way; payments and e-signature are on provider hold; deeper provider calendar sync is planned. The complete table is on /integrations.
- Calendar feeds (.ics)Live
- Read-only, one-way feeds — subscribe in any calendar app or download a file. My Week via tokened URL; public profiles expose an availability feed. Not two-way sync.
- Payments (Airwallex)Provider hold
- Subscription/payment-provider path where configured. Engagement settlement is recorded manually during the founding period. Payment collection stays out of public claims until an owner-approved charge + webhook proof pass.
- Email (Resend)Provider hold
- Transactional email path for magic-link sign-in, notifications, invites, and digests. Webhook signatures verify server-side. Live self-serve email is claimed only after domain, send, webhook, and bounce proof.
- E-signature (Dropbox Sign / DocuSign)Provider hold
- Contract signature path. Today contracts version, preview, download, manual-upload, and audit-track inside Kalinklo. Provider-backed signing stays out of public claims until proof passes.
- Provider calendar syncPlanned
- Deeper Google/Outlook provider sync for availability and confirmed engagements. Not shipped — today's read-only .ics feeds already work in Google Calendar and Outlook.
- Error monitoring (Sentry)On request
- Active only when SENTRY_DSN is configured. PII scrubbed before transmit.
AI safety
Drafts only. A human approves every commitment.
The same boundary is published on the AI policy on /security.
01
Drafts only — never an action
Where a workspace explicitly enables AI, it may summarize or draft internal text. It may not sign contracts, send external messages, issue invoices, process payments, publish materials, or change settlement state.
02
A human approves every commitment
No counterparty-facing message, contract, invoice, or settlement change moves without a person confirming the exact payload. The approval itself is audited — who clicked, when, on what.
03
Off by default, minimal context
AI is off entirely when no provider key is set. When on, prompts carry only the specific text being drafted — not your document library — and your data is not used to train models. Each run is logged (task, model, token counts, approval outcome).
Compliance status
Where we are on certification — honestly.
We do not yet hold SOC 2 or ISO 27001. We will not say otherwise. The controls those audits examine are live today and listed above. What follows is the certification path, stated as targets.
- SOC 2 Type IIn preparation
- Readiness assessment of point-in-time control design. We do not hold this certification today.
- SOC 2 Type IIPlanned
- A multi-month observation window evidencing controls over time — begins after Type I. The report most US institutions ask for. Not held today.
- ISO 27001Planned
- Stage 1 documentation review, then Stage 2 certification audit. The European procurement standard. Not held today.
- GDPR + HK PDPOAvailable now
- DPA template downloadable from the Trust Center; processor list published; EU + US database regions.
The full roadmap with status notes is on /security.
Procurement FAQ
Straight answers before the questionnaire.
The general FAQ covers pricing, visibility, and settlement on /faq. These are the buyer, legal, and IT questions.
Are you SOC 2 or ISO 27001 certified?
Not yet, and we will not say otherwise. The controls those audits examine — audit logging, tenant isolation, gated documents, MFA, defined retention — are live today and documented on /security. SOC 2 Type I is in preparation; SOC 2 Type II and ISO 27001 are planned.
Do you support SSO and SCIM?
Yes — both code paths ship in the product. OIDC SSO is per-org, fail-closed, and PKCE-based; SCIM 2.0 provisioning uses a per-org bearer token. Both activate when your administrator supplies the IdP configuration (and the deployment carries the SSO encryption key). There is no separate build or engineering engagement required.
Can we get a Data Processing Agreement (DPA)?
Yes. The DPA template is downloadable right now — no request needed. For a countersigned copy for your organization, write to security@kalinklo.com.
Can we export — and delete — our data?
Yes. Export 20+ tenant-scoped CSVs from the reports center at any time. Owners can delete vault documents on demand; engagement business records follow the published legal-retention windows.
Can we take payments and e-sign contracts inside Kalinklo today?
Not as a public claim. Settlement is recorded manually during the founding period and contracts version/preview/upload/audit inside Kalinklo; provider-backed payment collection and e-signature stay on provider hold until owner-approved proof passes. The honest, current status for every integration is on /integrations.
How do we submit a security questionnaire?
Send it to security@kalinklo.com. Completed questionnaires come back with current control evidence; the same address handles DPA countersignatures and vulnerability reports, on the response timeline published on /security.
How is access granted — can anyone self-serve into our data?
No. Access is reviewed: signup creates a pending-approval account, and an admin approves before any dashboard data opens. Public pages never expose real workspace, member, artist, or engagement data.
Artifacts & proof
Everything a reviewer needs, in one place.
The trust packet and DPA are downloadable right now — no request needed. The rest are the live pages behind each claim on this page.
Trust Center & procurement packet ↓Controls, retention, subprocessors, and current status in one document.Data Processing Agreement (DPA) ↓Downloadable template for procurement review; countersignature on request.Security practice registerThe full practice list, subprocessors, retention table, and certification roadmap.Trust CenterProcurement-readiness overview and the access model in plain language.Privacy noticeData ownership, processor posture, and the boundaries around workspace data.Integration statusEvery third-party platform with honest status (Live / Provider hold / Planned).SubprocessorsThe named vendors that touch your data, each scoped and under DPA.System statusThe public operational snapshot and runtime posture.
Diligence, answered
Security review should not start from a sales deck.
Start with the trust packet and DPA above. For vendor questionnaires, DPA countersignature, or institution-specific review, write to the office.