Security and Compliance
TLS in transit, AES-256 at rest, SSO and SAML on Enterprise, biometric privacy posture, the Klees audit log, and the SOC2 program — security as it actually ships.
Updated May 29, 2026
Klees handles workforce data, location data, biometric data, and payroll-grade financials. The security and compliance posture matches that load. This page covers encryption, authentication, access control, biometrics, the audit log, SOC2, and the regulatory frameworks Klees supports. For user-level security, see Roles and Permissions. For the API equivalents, see REST API.
Encryption
| Layer | Standard | Notes |
|---|---|---|
| In transit | TLS 1.2+ | Strict ciphers; HSTS on web; certificate pinning on mobile |
| At rest | AES-256 | Database and object storage; per-record envelope encryption on sensitive fields |
| Backups | AES-256 | Same standard as primary; encrypted in dedicated regions |
| Mobile cache | OS keychain | Tokens and PinShot working data sit in OS-managed encrypted storage |
TLS configurations are reviewed quarterly. TLS 1.0 and 1.1 are not accepted. Cipher suites follow current Mozilla “intermediate” guidance.
Authentication
Standard: email and password with bcrypt at standard work-factor, optional TOTP or SMS two-factor, short-lived session tokens with rotating refresh.
Enterprise: SSO via SAML 2.0 (Okta, Azure AD, Google Workspace, OneLogin, Ping), SCIM 2.0 provisioning (auto-create, update, deactivate from your IdP), just-in-time role mapping to Klees roles, and enforced SSO (disable password login for SSO-managed users). SSO is included on Enterprise — see pricing. Available as an add-on on Standard and Pro.
Authorization and access control
Klees uses RBAC layered with resource scoping. Every API request and UI action is checked against the user’s role, per-permission overrides, scope (org-wide, by region, customer, or tag), and the resource’s tenant. Full matrix in Roles and Permissions.
Audit log
Every meaningful action is logged: who (user + role at the time), what (action + resource), when (UTC + display timezone), where (IP, user agent, optional GPS), and a before/after diff on edits. Retention defaults to 24 months; Enterprise can extend to 7 years for regulated industries. The log is filterable, exportable, and on Enterprise streamable to Splunk, Datadog, Sumo Logic, Elastic, or custom HTTP sinks via the REST API.
Biometric privacy
PinShot is the biometric surface of Klees. Capture only at clock-in and clock-out (never silent), persistent indicator, AES-256 encrypted selfies, one-way hashed templates, bilingual consent at enrollment (logged in audit), per-jurisdiction retention overrides, worker-initiated export and deletion.
Retention defaults:
| Data | Default | Configurable |
|---|---|---|
| PinShot selfie image | 30 days | Yes |
| Face template | 12 months from last clock-in | Yes |
| Anti-spoof score | Lifetime of the time entry | No |
Klees supports BIPA (Illinois), CCPA/CPRA (California), GDPR (EU), LGPD (Brazil). Full PinShot mechanics in PinShot.
Location data
Location is captured only while clocked in. Off-shift is never recorded. Live Map introduces a 60-second display delay; the GPS trail (Pro/Enterprise) records at low frequency (every 2–3 minutes). Workers can review their own history and request deletion on offboarding.
SOC2
Klees operates under a SOC2 Type II program covering Security, Availability, Confidentiality, and Privacy. Annual Type II audits with continuous monitoring between. Subprocessor list is published with change notifications. The full report is available under NDA to Enterprise customers and late-stage prospects — contact [email protected].
Data residency, backups, DR
Standard hosting is in U.S. regions (multi-AZ). EU and Brazil hosting are available on Enterprise for GDPR/LGPD residency requirements. Backups run continuously with point-in-time recovery; RPO targets are typically under 5 minutes and RTO targets under 4 hours. Backups are stored in geographically separate regions. Disaster recovery is exercised regularly.
Pen testing and disclosure
Independent penetration tests run at least annually, with continuous SAST and DAST on every release and dependency scanning on every build. Coordinated disclosure at [email protected]; researchers acknowledged on the program page.
Incident response
Klees runs an on-call rotation with documented runbooks. Severity-1 incidents notify affected customers within an hour of confirmation; root-cause summaries follow within five business days. Status and postmortems live at https://status.klees.app.
Customer responsibilities
A secure deployment is shared:
- Enforce SSO for admin users
- Require two-factor on any non-SSO admin or owner account
- Rotate API tokens at least annually
- Review the audit log on a regular cadence
- Deactivate offboarded workers promptly (SCIM automates this)
- Set PinShot retention to match your jurisdiction
- Subscribe to the subprocessor change feed
Compliance at a glance
| Framework | Status | Notes |
|---|---|---|
| SOC2 Type II | In program | Report under NDA |
| GDPR | Supported | EU hosting on Enterprise |
| CCPA / CPRA | Supported | Worker-facing DSAR flow |
| LGPD | Supported | Brazil hosting on Enterprise |
| BIPA (Illinois) | Supported | Consent and retention configurable |
| HIPAA | Out of scope | Klees does not store PHI |
For other framework questions, reach [email protected].