Kinhold stores SSNs, medical records, insurance details, and household passwords. We treat that responsibility seriously. This page is the short version of how we protect that data and how to report a vulnerability.
Encryption
- All traffic is HTTPS only (TLS 1.2+ via Cloudflare).
- Vault items are encrypted at rest with a separate vault key, distinct from the application key.
- Database, Redis, and file storage are encrypted at rest by the underlying provider (Upsun managed services).
- Passwords are hashed with bcrypt; we never store plaintext.
Access control
- Role-based permissions (parent, child, guest) plus per-item visibility on vault entries and calendar events.
- Kid accounts cannot access the vault, full stop.
- Sessions use Laravel Sanctum with secure, HTTP-only cookies. MCP clients use bearer tokens that you can revoke individually.
The AI assistant
The built-in assistant and any external MCP clients only see what the calling user is allowed to see. The same permission checks the UI uses are applied to every tool call. There is no "AI superuser" mode.
Backups
Hosted installs are backed up nightly. Backups are encrypted and retained for 30 days. Self-hosted backups are your responsibility; the docs include guidance for Docker volume snapshots and Postgres dumps.
Reporting a vulnerability
If you find a security issue, please email security@kinhold.app rather than filing a public GitHub issue. Include:
- A description of the issue and impact
- Steps to reproduce
- Your name (so we can credit you, if you want)
We aim to acknowledge within 48 hours and patch high-severity issues within 7 days. We will publicly credit reporters in the changelog and the security advisory unless you ask us not to.
Source
Kinhold is open source. Read the code on GitHub and verify any of these claims yourself.