KimonTime
Sign inSign up

Security & trust

We treat employee trust as a load-bearing wall. The product is built so you can trust the data — and so your employees can trust the product.

GDPR & UK Data Protection Act 2018

KimonTime is built for GDPR + UK DPA from day one. Subject access requests are self-service via the app (DSAR export). Right-to-erasure is honoured. We are a Data Processor for our customers' employee data; you are the Controller. See our DPA for the full controller/processor split.

Data residency

Production data is hosted in the UK (Hostinger London) by default. EU customers can opt into EU-only data residency (Lithuania / Netherlands) at no extra cost — we are not a US-headquartered SaaS forced to comply with overseas data orders.

Encryption

All traffic is TLS 1.3 with HSTS preload. Data at rest is encrypted with AES-256 at the storage layer (Hostinger NVMe + Backblaze B2 object storage). Screenshots are stored on object storage with bucket-level encryption and time-limited presigned URLs — never a public link.

Employee-private AI coach

The Productivity Coach and Burnout Prediction features run for the employee, not their manager. Wellness notifications are employee-controlled — a manager cannot toggle them on or off for someone else. The AI never reports an individual's wellbeing signals up the chain.

Screenshots blurred by default

When screenshot capture is enabled by an org admin, screenshots are blurred at the desktop agent before upload. Region-blur for sensitive UI (password fields, banking apps) is automatic. The unblurred original never leaves the employee's device.

Aggregate keyboard/mouse only — never keystrokes

We count keyboard and mouse events per minute as a coarse activity signal. We do NOT capture keystrokes, passwords, or clipboard contents. This is a hard philosophical line — not a feature toggle.

SOC 2 Type II

SOC 2 Type II certification is in progress (target: ~12 months post-launch). Our control framework is built from day one to satisfy SOC 2 + ISO 27001 audit requirements. Customers under contract can access our security questionnaire on request.

For the full set: see our Privacy Policy, Terms of Service, and Sub-processor list.