Security

Practices, not posture.

What follows is the practice today — and each item maps to code shipped in this repository, not a promise.

Practices

What we do

Twelve practices in force today — a register, not a slogan.

Approval-gated access

Kalinklo Artists is private by default. Signing up creates a pending-approval account; an admin reviews and approves before dashboard access opens. Reviewed-access codes shared by the platform admin can fast-track trusted workspaces. There is no path to dashboard data that bypasses the approval gate.

Public visibility is opt-in

Public pages — homepage, pricing, security, managed services — never expose real artist, agency, presenter, or engagement data. The /artists, /agents, and /presenters directories show fictional demo profiles only, clearly labeled. A real artist profile becomes publicly searchable only after the artist explicitly opts in.

Artists cannot see other artists

By default an artist account sees only its own profile, availability, requests, holds, quotes, contracts, invoices, documents, and the agencies/presenters connected to engagements it participates in. There is no general browse-all-artists directory inside the platform for artist-role users.

Agencies see only their roster

An agency workspace sees only its represented artists, the requests/holds/contracts/invoices that involve its roster, and its own portal settings. It cannot see other agencies' rosters or operations.

Presenters / orchestras stay private

A presenter or orchestra workspace sees only its own season planner, shortlists, engagements, requests, contracts, invoices, and documents. Plan-gated discovery may surface artists who have explicitly opted in to be discoverable by approved presenters; otherwise no cross-presenter visibility exists.

Four visibility levels, per artist

Public (search-indexed folio) · Private listing (visible only to verified presenters and partner agencies inside the platform, no SEO) · Stealth roster (visible only to the artist's agency workspace and explicitly-invited presenters) · Workspace-private (engagements never leak — only artist, agency, presenter, and counsel ever see them). Default for represented artists is private listing, not public.

Human approval before commitment

No counterparty-facing message, contract, invoice, or settlement change moves without a person confirming the exact action. The approval itself is audited — who clicked, when, and on which payload.

Audit log on every transition

Every state change — request submitted, hold placed, quote sent, contract issued, invoice paid, settlement recorded — writes to the audit log with actor, timestamp, entity, and payload diff. Both parties to an engagement see the audit chain for that engagement.

Tenant boundaries

Every protected endpoint runs through an ownership check before responding. Cross-tenant requests return 403 — not 404, not 200 with empty data — so probing is detectable. List endpoints scope queries to the caller's workspace.

Operations not public

Health endpoints (/api/health{,/live,/ready}) are public. The version endpoint requires an internal ops token — without it, it returns 404. Admin dashboards require both a session and the admin MFA gate.

Content Security Policy

CSP denies inline scripts, restricts connect-src to known origins, and denies framing. We do not load third-party tracking pixels. No marketing analytics on the public site.

Rate limits + brute-force guards

Mutation endpoints carry per-actor rate limits. Public submission endpoints (/api/request-hold, /api/help/contact) are limited per IP. Failed sign-in attempts are throttled and logged.

The guarantee, in three lines

Every transition is recorded.

Request, hold, quote, contract, invoice, settlement — each one writes to the audit log.

No action skips a human.

A person approves counterparty-facing messages, contract changes, invoice changes, and settlement records.

No workspace sees another.

Every endpoint runs an ownership check. A cross-tenant request returns 403.

The boundary

What we will not do

We will not sell or share contact data

Your roster, your relationships, your records. We never resell them to third parties or use them for marketing outside Kalinklo.

We will not auto-publish unverified listings

Verification gates discovery. An unverified workspace can file requests but cannot be found by search.

We will not let automation replace approval

Messages, contracts, invoices, and money-state changes require an attributable human confirmation path.

We will not custody payment funds without a contract that says so

By default we record obligations and settlements; money moves bank-to-bank or via your existing processor.

Subprocessors

The vendors that touch your data

Each vendor is named, contracted with a DPA, and minimised in scope. We add a new subprocessor only when a feature needs one — and update this list before the change goes live.

Neon (Postgres): Primary application database. EU + US regions, point-in-time recovery enabled, encrypted at rest and in transit.
Vercel: Application hosting + edge functions + Blob storage for documents. SOC 2 Type II.
Resend: Transactional email (magic-link sign-in, engagement notifications). Webhook signatures verified server-side.
Airwallex: Subscription/payment-provider integration where configured. Engagement settlement is recorded manually during the founding period; we never store full card details.
Sentry (optional): Error monitoring. Configured only when SENTRY_DSN is set. PII scrubbed before transmit.

Data retention

How long we keep what

Business records carry legal retention obligations; operational telemetry does not. We treat them differently, and document each.

Engagement records: Kept for the life of the workspace + 7 years after closure (tax/legal). Includes requests, holds, quotes, contracts, invoices, audit logs.
Documents in vault: Kept as long as the workspace exists. Owner can delete on demand; superseded uploads are preserved in audit trail.
Authentication events: Sign-in attempts, MFA events, session creation: 12 months.
Health probe + analytics: Health endpoints log no PII. We do not run third-party analytics on the public site.

Responsible disclosure

How to report a vulnerability

Mail security@kalinklo.com with reproduction steps. We acknowledge, triage, fix, and credit you on the timeline below. Do not test against another workspace's data without written authorisation.

01
Initial acknowledgment
Within 2 business days.
02
Triage + severity
Within 5 business days.
03
Patch or remediation plan
Critical: 7 days · High: 30 days · Medium: 90 days · Low: best-effort.
04
Public disclosure
By mutual agreement after patch deploys. Credit attribution if requested.

We don't currently run a paid bug-bounty programme. Severe findings may be recognised with a written letter and an account credit at our discretion.

Disclosure

Found a problem? Tell us.

If you discover behaviour at odds with anything above, write to the office — we answer.

security@kalinklo.com Safety & trust