Security

Security at Krila.

Krila is built on the assumption that airline commercial data is sensitive. Schedules, fares, demand, and forward-looking strategy can move markets and competitive position. Our security posture is built to match.

Architecture

Krila runs on a modern, audited cloud stack:

  • Application hostingVercel (SOC 2 Type II, ISO 27001)
  • API and computeRender (SOC 2 Type II)
  • Primary databaseSupabase Postgres (SOC 2 Type II, HIPAA-eligible infrastructure)

All services are hosted in US regions.

Data Isolation

Every customer is provisioned a tenant with a unique organization ID. All tenant-scoped tables enforce row-level security at the database level. Queries cannot cross tenant boundaries, by design, not by application convention. Application code that touches customer data is reviewed against this isolation contract before deployment.

Encryption

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Database backups and replicas inherit the same encryption.

Authentication and Access

User authentication is handled through Supabase Auth with email-based identity. SSO via SAML and Google Workspace is available for design partner deployments on request. Administrative access to production systems is restricted, logged, and limited to the founding team.

Data We Process Today

In our current evaluation deployments, Krila processes:

  • Public datasets (DOT T-100, DB1B, OpenSky)
  • Licensed schedule and competitive data (OAG, Cirium) under each customer's own entitlement
  • Customer-provided schedule, fare, and demand exports

Krila does not process passenger PII, payment data, or PNR-level records. We do not require, request, or store this information.

Data Ownership and Deletion

Customers own their data. On contract termination, all customer-provided data is purged from production systems and backups within 30 days, with written confirmation.

Subprocessors

Krila uses a small, intentional list of subprocessors: Vercel, Render, Supabase, and Anthropic (for AI model inference, with zero data retention enabled on enterprise endpoints). The full list is available to customers under NDA.

Where We Are

Krila is an early-stage company. We are stage-appropriate on compliance. We have not yet completed a SOC 2 Type II audit, and we are transparent about that. We have built the underlying controls (tenant isolation, encryption, access logging, subprocessor discipline) that a SOC 2 audit will eventually attest to, and we have committed to beginning SOC 2 Type I as part of our first formalized design partner contracts.

Reporting a Vulnerability

If you believe you’ve found a security issue in Krila, email security@krila.ai. We will acknowledge within one business day.

See it on your routes.

30 minutes. Your data. No slides.

Request DemoHow it works

Or email us at hello@krila.ai