Data & Security
This page explains how Kyroo collects, uses, and protects your data when you use our platform at getkyroo.com and app.getkyroo.com. If you have questions, contact us at support@getkyroo.com.
View our latest security report
Kyroo Aikido Security Report - May 2026
Table of contents
A summary
All customer data is hosted in the EU on AWS
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+)
We do not process personal contact data from your CRM — only company names, domains, deal data
Read-only access to LinkedIn Ads and HubSpot. We can never write to your account
You can disconnect or revoke access at any time. Data is deleted within 30 days of disconnection
Cyber Essentials, ICO Data Protection Registration, and SOC 2 are on our roadmap
We do not sell, share, or use your data to train AI models
What we access - HubSpot
We connect to HubSpot using a public OAuth app. The app requests two scopes: crm.objects.companies.read and crm.objects.deals.read. Nothing else. This means we can read company names, domains, deal names, deal values, and deal stages.
We cannot read contacts, emails, call logs, meeting notes, tasks, sequences, workflows, or any other data in your HubSpot portal. We cannot create, update, or delete any record.
What we access - LinkedIn
We connect to LinkedIn Ads using the r_ads_reporting OAuth scope. This is the same permission that LinkedIn Campaign Manager uses when you export your own performance data. It gives us read access to impression counts, click counts, spend figures, and campaign names. That is all.
We cannot see your ad creative, your targeting settings, your audience lists, your billing details, or your account configuration. We cannot create, pause, edit, or delete any campaign or ad. If you revoke access, our connection is terminated immediately.
How is my data stored?
All data stored by Kyroo is encrypted at rest using AES-256 encryption via Supabase, which runs on AWS infrastructure in the EU. All data in transit between your browser, our servers, and our database uses TLS 1.2 or higher. Every table in our database has row-level security enabled, which means your organisation's data is cryptographically isolated from every other organisation's data.
No Kyroo staff member can query your data. If you disconnect an integration, your data is deleted immediately and permanently. Disconnect LinkedIn and your LinkedIn impression data is gone. Disconnect HubSpot and your CRM data is gone. Delete your account and everything goes with it.
What we never do
Kyroo can not and will not write to your LinkedIn Ads account. We will never write to your HubSpot portal. We will never access contact records, personal email addresses, or any individually identifiable data from your CRM. We will never sell your data, share it with third parties, or use it to train any model. We will never store your LinkedIn or HubSpot credentials. All authentication uses short-lived OAuth tokens that you can revoke at any time from within LinkedIn or HubSpot directly.
New
Compliance roadmap
We are building Kyroo to enterprise-grade security and compliance standards. The following are on our roadmap:
Cyber Essentials certification (UK government-backed security standard)
SOC 2 Type I
SOC 2 Type II
If your security or procurement team has specific compliance questions, contact us at support@getkyroo.com and we'll walk through the data model directly.
Sub-processors
Supabase - AWS Frankfurt eu-central-1-1 (Germany). Database and authentication. Stores all application data.
Vercel - AWS multi-region. Application hosting. No customer data at rest.
Stripe - Global, EU operations. Payment processing. Billing metadata only.
Resend - AWS us-east-1 (US, covered by EU-US Data Privacy Framework). Transactional email. Email addresses for account communications.
Upstash - AWS multi-region. Redis caching. Temporary session data.
Slack - AWS multi-region. Notifications when enabled by customer. Webhook URL only.
All sub-processors are bound by data processing agreements consistent with UK GDPR. We use certain data enrichment services to deliver attribution features, we only ever use these for business data (non-personal) lookups, such as LinkedIn company page URN resolution. We send public LinkedIn company URLs; we receive the corresponding company domain. No customer data, no personal data, no individually identifiable information is sent to or in any way accessible by any third party data enrichment platform.
DPA & NDA
We offer DPAs and NDAs on request.
To request a signed DPA or NDA, please email support@getkyroo.com, using the following template:
Questions
If your security or IT team has questions not covered here, we are happy to walk through the data model directly.
Please email support@getkyroo.com