Skip to main content
Security settings live in Settings → Security. What’s available depends on your plan.

Two-factor authentication (2FA)

Every user can enable 2FA on their own account (see Password & 2FA). 2FA is backed by Fortify with TOTP authenticator apps and one-time recovery codes. Available on all plans.

Single sign-on (SSO)

Coming soon — Scale plan. Track availability on the Keloa roadmap.
When SSO ships, the planned protocols are:
  • SAML 2.0 (Okta, Azure AD, JumpCloud, etc.)
  • OIDC (Google Workspace, generic OIDC providers)
Until then, secure your workspace with required 2FA and unique passwords per teammate.

Audit log

Settings → Security → Audit log records every admin action:
  • Member invites, role changes, removals
  • Channel connects and disconnects
  • Knowledge source adds and deletes
  • Flow publishes
  • Retention policy changes
  • Data exports and contact deletions
Each entry has timestamp, operator, IP address, and user agent. The audit log itself is available on Business and Scale. CSV export of the audit log is Scale only.

Session management

  • Sessions follow Laravel’s default lifetime (30 days of inactivity).
  • Force sign-out all sessions from Settings → Security → Revoke all sessions.

Brute-force protection

Login endpoints are rate-limited (5 attempts per minute per IP). Repeated failures lock the account for 15 minutes and email the account owner.

Bug bounty

We run a private bug bounty. Responsible disclosure via security@keloa.ai — we respond within 24 hours.

Compliance

  • GDPR-compliant. Data Processing Agreement available on request.
  • SOC 2 Type II (in progress, target 2026).
  • ISO 27001 (planned).
See Data & privacy for the privacy-facing controls.