Privacy & data residency

Where your data physically lives, encryption, tenant isolation, retention, deletion, subprocessors.

If you're handling Malaysian SME financials, you need to know exactly where the data goes and who can see it. This page lays it out — physical region, legal jurisdiction, encryption, isolation, retention.

For the audience that asks: I'm an IT person or a compliance officer evaluating Kiravy. Skim the headings; we keep claims concrete.

Where data physically lives

LayerProviderRegion
Database (Postgres)Supabaseap-southeast-1 (Singapore)
File storage (receipts, logos, exports)Supabase Storageap-southeast-1 (Singapore)
App serversSelf-hosted on a VPSCurrently Frankfurt (eu-central); production move to ap-southeast-1 is planned
AI processingThe AI provider Kiravy usesUS region for inference; data not retained by the provider beyond the immediate request
Email (invitations, password resets)Supabase Auth → SMTP relaySingapore
Error monitoringSentryEU region; PII-scrubbed before send
AnalyticsPostHogSelf-hosted; no third-party trackers

The principle: everything customer-data-related sits in Singapore. The VPS region for the app server is a temporary state during the staging phase; production will collocate with the data layer.

The data never leaves Singapore for storage. The only outbound trip is the AI inference call (which we minimise — see AI processing below). Receipts, transactions, customers, the chart of accounts — all of that is stored regionally.

What encryption looks like

  • In transit: Every connection is TLS 1.2+ — the browser ↔ Kiravy, the Kiravy app ↔ Supabase, the SQL Account bridge ↔ Kiravy. No plaintext anywhere on the wire.
  • At rest: Supabase encrypts the database and storage buckets with AES-256.
  • Bearer tokens (used by the SQL Account bridge agent): only the SHA-256 hash is stored server-side. The raw token exists for a few seconds at pair time, then disappears. Even Kiravy support can't see it after creation — if you lose the token, you re-pair.

Tenant isolation — the database does it

Every read and write goes through PostgreSQL Row-Level Security (RLS) policies before the application sees the data. This is enforced by the database, not the app — a buggy query or a forgotten WHERE clause cannot leak data across firms.

Two helper functions back this up:

  • current_user_workspace_role() — returns the calling user's role in the active workspace
  • is_assigned_to_client(client_id) — returns true if the user is Partner / Manager or explicitly assigned to that client

Every tenant table has a policy like:

create policy "tenant_isolation" on transactions for select
  using (is_assigned_to_client(client_id));

This is the same mechanism that makes Kiravy AI safe — the AI's tool calls go through the database, which refuses to return rows the user shouldn't see, even if the AI asks for them.

See Roles & permissions → How Kiravy enforces this for the longer version.

Who can see your data

Within your firm:

WhoCan see
PartnerEvery client in the firm
ManagerEvery client in the firm
Senior / JuniorOnly clients they're explicitly assigned to
ViewerOnly assigned clients, read-only
Client portal userJust their own business + just their own uploads

Cross-firm: never. Even Kiravy staff with database access don't read your data routinely — see Kiravy team access below.

AI processing

When you chat with Kiravy AI, ask for a tax deductibility check, or upload a receipt for OCR, the underlying request leaves Singapore and goes to the AI provider's API:

  • What's sent: only the specific data needed for the task — for a deductibility check, the vendor name, amount, account; for an OCR pass, the receipt image
  • What's retained by the provider: nothing — by contract, the provider does not store the request data after the response is delivered
  • What's logged on the Kiravy side: the token count and feature name for billing, but not the prompt body or the response

There's no fine-tuning on your data. No "your data trains a future model" footnote. The AI is used as a stateless processing call.

One exception: if you opt into conversation history (the default), the messages of an AI conversation are stored in Kiravy's database in Singapore so you can pick up a thread later. Those are still RLS-gated and never leave Singapore.

Retention

Records follow Malaysian Income Tax Act 1967 s. 82A — books and supporting documents are retained for 7 years after the year of assessment.

Kiravy's defaults:

ObjectDefault lifecycle
Transactions / receipts / invoicesKept indefinitely (firm controls archival)
Soft-deleted rowsHidden from UI, retained in DB indefinitely (for audit recoverability)
Archived clientsHidden from default list, retained in DB indefinitely
Hard-deleted clientsCascaded deletion; 7-day point-in-time backup at Supabase as a safety net
Deactivated membersAuth blocked; row + their authorship of past data preserved
Audit logsIndefinite; we never trim
AI conversation historyIndefinite unless the user soft-deletes the thread
AI usage telemetry (ai_usage table)30+ days for the in-product dashboard; archived older than that

The whole architecture leans toward don't lose data. Hard delete is a deliberate friction-heavy action — see Archive & delete for the full ceremony.

Data export — getting your data back

You can export at any time:

  • CSV per surface — from Transactions, Customers, Suppliers, AR, AP tabs
  • PDF P&L — via the report export button
  • Receipt files — original images / PDFs can be downloaded individually (bulk export is on the roadmap)
  • Full account export — contact support; we provide a ZIP with everything in CSV + PDF form within 5 business days

There's no vendor lock-in. Your data was always yours.

Data deletion on request

For PDPA (Personal Data Protection Act 2010) right-to-erasure requests:

  1. The firm's Partner submits the request in writing to support
  2. We confirm receipt within 48 hours
  3. Soft delete is immediate via the UI (Partner can do it themselves — see Archive & delete)
  4. Hard delete + backup scrub runs after the 7-day backup retention window expires — guarantees no recoverable copy
  5. We send written confirmation when complete

For an individual's PII (e.g. a staff member's data after deactivation), support runs a PII-scrub that anonymises the row while preserving audit attribution by row ID.

Kiravy team access

Who at Kiravy can theoretically see your data:

RoleRoutine accessWhen they'd touch it
FoundersYes (database admin)Investigating bugs you report, manual support requests
Future on-call engineersYes (database admin)Incidents (production down, data corruption)
Customer success / supportNo raw DB accessUse the admin UI which respects RLS

What we don't do:

  • Routine browsing of customer data
  • Selling, sharing, or aggregating customer data for any purpose
  • Training models on your data
  • Reading messages in AI conversations or chat with team members

Every Kiravy-team access to the database is logged. We'll surface that audit log to Partners in a future release.

Subprocessors

The third parties we depend on, with what each touches:

SubprocessorWhat they see
SupabaseEverything (they host the DB + storage) — but encrypted at rest, and Kiravy controls the keys
The AI providerJust the specific request payload (vendor name + amount for one classification, or one receipt image for OCR) — not retained
SentryError stack traces — PII scrubbed before send
Postmark / SMTPOutbound email content (invitations, password resets)
Cloudflare (DNS + CDN)TLS termination; never sees decrypted content above the wire

We don't use third-party marketing trackers, ad networks, or analytics that fingerprint your visitors. PostHog (self-hosted) is for product analytics — anonymised events, not user-identifying ones.

Compliance posture today

What we claim:

  • TLS everywhere
  • Encryption at rest
  • RLS-enforced tenant isolation
  • Singapore data residency
  • 7-day backup window
  • Audit logging on key actions

What we're working toward (not certified yet):

  • SOC 2 Type II — planned audit window in the next 12 months
  • ISO 27001 — secondary; depends on demand
  • Formal DPA template for enterprise customers — available on request today, productised soon

What we don't claim:

  • PCI DSS (Kiravy doesn't process card data — that's the billing provider's domain)
  • HIPAA (out of scope — we're financial, not healthcare)

If your firm's largest client requires a specific compliance attestation we don't yet have, talk to us — we'll know if it's on the roadmap or if it's not realistic for our stage.

Reporting a security issue

security@kiravy.com — please give us 90 days before public disclosure. We'll acknowledge within 48 hours and credit you (with permission) when the fix ships.

What's next