Security
Request signing, encrypted collection, and how KaizoCore protects its own infrastructure.
Request authentication
Every API call — from your backend and from the collector SDK — is
HMAC-SHA256 signed, with replay protection via a timestamp window (±5
minutes) and a per-request nonce. See
The /v1/decide API for the exact
signing scheme.
Encrypted collection payload
The behavioral data FORGE collects is sent over an ECDH-negotiated encrypted channel, established fresh per session — not just relying on HTTPS transport encryption, but an additional application-layer encryption step specifically for the collection payload.
Fingerprint anonymization
Device fingerprints stored in the cross-customer bad-actor registry are SHA-256 hashes of combined device signals — never raw, reversible device data, and never PII.
Monitoring
KaizoCore's production infrastructure runs on Google Cloud Run with active error-rate alerting, structured logging, and a daily automated data-retention job — see Data retention.
Reporting a security issue
If you believe you've found a security vulnerability in KaizoCore, reach out through your dashboard rather than filing it as a public issue.