Information Security Program

1. Purpose and Scope

Renji Labs, Inc. ("Renji Labs," "we," "our," or "us") operates Kaiary, an AI-powered family journaling application. This Information Security Program ("Program") describes the administrative, technical, and physical safeguards we maintain to protect the confidentiality, integrity, and availability of personal information processed in connection with Kaiary—including family content, biometric data, and account information.

This Program is intended to satisfy our obligations under applicable laws, including the Children's Online Privacy Protection Rule (COPPA), the Illinois Biometric Information Privacy Act (BIPA), state biometric and information-security statutes (such as Texas CUBI, Washington RCW 19.375, and the New York SHIELD Act), the California Consumer Privacy Act (as amended by CPRA), and equivalent obligations in other jurisdictions in which we operate.

2. Definitions

• Personal Information. Any information that identifies, relates to, describes, or could reasonably be linked with a particular individual or household, as defined under applicable law.
• Family Content. The journal entries, photos, videos, audio recordings, captions, and milestone events users create or upload to Kaiary.
• Biometric Data. Facial geometry vectors (face embeddings) extracted from photos when a user opts into face recognition, as further described in our Privacy Policy and Data Retention Policy.
• Children's Personal Information. Personal information of any individual under the age of 18 that is processed in connection with Kaiary, including photographs, videos, voice recordings, names, and biometric data of minors who appear as subjects in family content.
• Workforce. Renji Labs employees, contractors, and agents with access to systems or data covered by this Program.

3. Governance and Roles

Responsibility for this Program is allocated as follows:

• Chief Executive Officer: Owns the Program and approves material changes.
• Designated Security Coordinator: A named individual responsible for day-to-day administration of the Program, including incident response coordination, vendor reviews, and the annual review of this document. The current coordinator can be reached at security@kaiary.ai.
• Engineering Leadership: Implements and operates the technical safeguards described in Section 7.
• All Workforce Members: Are responsible for following this Program and reporting suspected security incidents through the channels described in Section 11.

4. Data Classification

We classify data into the following categories so that controls can be applied proportionally to sensitivity:

• Tier 1 — Highly Sensitive. Biometric data (face embeddings), authentication credentials and secrets, payment-related identifiers, and consent records.
• Tier 2 — Sensitive. Family content (photos, videos, journal entries, audio), names, dates of birth, contact information, precise location, and information depicting children.
• Tier 3 — Confidential. Account metadata, device identifiers, push tokens, subscription and billing records, and product analytics events linked to a user identifier.
• Tier 4 — Internal. Aggregated, anonymized, or non-personal operational data.

Children's Personal Information receives Tier 1 protection regardless of where it appears in the system.

5. Risk Assessment

We perform a risk assessment at least annually, and whenever there is a material change to our processing activities, infrastructure, or applicable law. The assessment evaluates:

• Reasonably foreseeable internal and external threats to the confidentiality, integrity, and availability of personal information
• The likelihood and potential impact of each threat
• The sufficiency of controls in place to mitigate those threats
• Risks specifically associated with biometric data, children's data, and family content

Findings are documented and used to drive remediation. The Designated Security Coordinator tracks open risks to closure.

6. Administrative Safeguards

6.1 Personnel Controls

All workforce members with access to personal information are subject to:

• Background checks where permitted by applicable law
• Confidentiality and acceptable-use agreements as a condition of access
• Role-based access provisioning and timely deprovisioning on role change or departure

6.2 Access Management

Access to systems containing personal information is governed by the principle of least privilege:

• Production access requires multi-factor authentication and is limited to engineering personnel with a documented business need
• Privileged actions are logged and reviewed
• Access reviews are conducted at least quarterly to confirm that current access levels remain appropriate
• Shared accounts are prohibited; every action is attributable to a named individual

6.3 Security Training

All workforce members complete security and privacy training upon onboarding and at least annually thereafter. Training covers, at minimum: phishing recognition, secure-handling practices for personal information, the special protections that apply to children's data and biometric data, the incident-reporting process, and the requirements of this Program.

6.4 Vendor and Third-Party Risk Management

Before engaging any third party that will receive or have the ability to access personal information, we evaluate the vendor's security posture, contractual commitments, sub-processor practices, and any relevant certifications. Material vendors are subject to:

• Written agreements that include confidentiality, security, breach-notification, and data-processing provisions
• Periodic reassessment based on the sensitivity of the data shared
• Restrictions on the categories of data they may receive—for example, our advertising and analytics partners are contractually limited to the event and identifier data described in our Privacy Policy and never receive family content, biometric data, or children's personal information

7. Technical Safeguards

7.1 Encryption

• In transit: All connections between user devices, our servers, and our infrastructure providers are protected with TLS 1.2 or higher (TLS 1.3 where supported).
• At rest: Family content stored in Amazon S3 is encrypted with AES-256 server-side encryption. Database storage (including face embeddings stored in PostgreSQL with the pgvector extension) is encrypted at rest using AWS RDS encryption.
• Secrets and keys: API keys, database credentials, and encryption keys are stored in AWS Secrets Manager and rotated on a documented schedule. Secrets are never committed to source control.

7.2 Authentication and Authorization

• User authentication is provided by Supabase Auth, supporting Apple Sign In, Google Sign In, and SMS one-time passcodes via Twilio.
• Workforce access to administrative tools requires multi-factor authentication.
• Application-level authorization enforces family-scoped data isolation: every database query is constrained by the requesting user's family membership, so a user cannot retrieve data belonging to another family.
• Media delivered by our content delivery network is protected by signed cookies scoped per session, with automatic refresh and short expirations.

7.3 Network and Application Security

• Production workloads run inside a virtual private cloud with restrictive ingress and egress controls.
• Services are placed behind a managed web-application firewall and rate-limiting controls.
• Software dependencies are scanned for known vulnerabilities, and high-severity findings are tracked to remediation.
• Code changes are reviewed by at least one engineer who is not the author before merge, and security-sensitive changes receive additional review.

7.4 Logging, Monitoring, and Detection

• Application, infrastructure, and security events are centrally logged.
• We monitor for anomalous authentication activity, privilege escalations, and patterns consistent with abuse or compromise.
• Crash and error data is captured by Sentry and reviewed by engineering on a regular cadence.
• Logs are retained for the periods specified in our Data Retention & Destruction Policy.

7.5 Vulnerability and Patch Management

• Operating systems, container images, and application dependencies are kept current with security patches.
• Critical vulnerabilities are prioritized for remediation according to the risk they present.
• We support responsible disclosure of vulnerabilities and welcome reports at security@kaiary.ai.

7.6 Secure Software Development

• Engineering practices include code review, automated testing, and static analysis.
• Sensitive operations—such as biometric processing, consent recording, and media access—are tested for correct enforcement of access controls.
• Pre-production environments use synthetic or de-identified data; production data is not copied to development environments.

8. Physical Safeguards

Kaiary does not operate its own data centers. Production data resides with cloud infrastructure providers (primarily Amazon Web Services) that maintain physical security controls described in their published certifications, including SOC 2 Type II and ISO/IEC 27001. Renji Labs offices and workforce devices are protected through device management, full-disk encryption, automatic screen locking, and standard physical-access controls.

9. Special Protections for Children's Personal Information

Although Kaiary accounts may only be created by adults aged 18 or older, family content frequently includes photographs, videos, audio recordings, and biographical information about children. We treat all such information as Children's Personal Information and apply heightened safeguards:

• Children's Personal Information is classified as Tier 1 (Highly Sensitive)
• It is encrypted in transit and at rest, and is family-scoped at the application layer so it can never be returned to anyone outside the family group
• It is never shared with our advertising or analytics partners
• It is processed exclusively by self-hosted AI infrastructure under Renji Labs' direct control; no third-party AI service receives images, video, or audio depicting children
• Retention timelines for Children's Personal Information are governed by our Data Retention & Destruction Policy and do not permit indefinite retention

10. Special Protections for Biometric Data

If a user opts into face recognition, Kaiary extracts and stores facial geometry vectors (numerical embeddings) derived from photos. We protect this data with the following additional controls:

• Self-hosted processing. Face detection and recognition are performed by Renji Face, an in-house system running on infrastructure under our direct control. Faceprints are never transmitted to third-party AI services, advertisers, analytics providers, or data brokers.
• No raw face images for matching. Only the mathematical embedding is stored for recognition; matching is performed against the embedding, not against the original photo.
• Family scoping. Face embeddings are partitioned by family identifier at the database layer and cannot be matched across families.
• Documented written consent. Biometric collection requires a recorded consent action that captures purpose, retention, IP address, user agent, and timestamp before any face photos may be uploaded.
• Independent deletion. Users may delete biometric data without deleting the underlying photos.
• Retention limits. Biometric data is destroyed in accordance with the timelines in our Data Retention & Destruction Policy.
• No sale. We do not sell, lease, trade, or otherwise profit from biometric data.

11. Incident Response

We maintain a documented incident-response process for events that may compromise the confidentiality, integrity, or availability of personal information. The process covers:

• Detection and reporting. Workforce members are required to report suspected incidents to security@kaiary.ai without delay.
• Triage. The Designated Security Coordinator assesses scope, severity, and the categories of data involved.
• Containment and remediation. Engineering leadership executes containment steps, preserves evidence, and remediates the underlying cause.
• Notification. Where required by law or contract, we notify affected users, regulators, and partners within applicable deadlines—including the 72-hour notification standard under the GDPR, U.S. state-specific breach-notification statutes, and contractual requirements with our infrastructure providers.
• Post-incident review. Material incidents are subject to a written post-incident review identifying root cause, contributing factors, and corrective actions.

12. Business Continuity and Backups

Family content and database state are backed up on a routine schedule, with backups encrypted at rest and stored in geographically separate facilities operated by our infrastructure providers. Backups are retained according to the timelines in our Data Retention & Destruction Policy and tested periodically to confirm restorability. When a user deletes data, we propagate that deletion through active systems immediately and apply the documented backup-rotation timeline so that the data is purged from all retained copies.

13. Policy Review and Revision

This Program is reviewed at least annually and updated when there is a material change to our processing activities, infrastructure, vendor relationships, or applicable law. The "Last Updated" date at the top of this document reflects the most recent review. Material changes are summarized in our Privacy Policy and may be communicated to users through the app or by email.

14. Contact

For questions about this Program or to report a suspected security issue, please contact:

This document is the publicly available summary of Renji Labs' Written Information Security Program. Internal procedures, system designs, and operational runbooks contain additional detail that is not publicly disclosed for security reasons.