FounderOS is your personal operations cockpit, but it sits on the same askKira governance backbone as every other product we ship. The canonical security and infrastructure statement is below; the full set of policies + templates lives in the askKira Governance Hub.
Every askKira product — FounderOS, Mosaic PD, Classroom Companion, Talkology — is governed by one shared backbone: privacy policy, DPA, DPIA, cookie policy, terms, AI policy templates and risk-assessment templates. All live in one place, kept canonical, dated and downloadable.
Open the Governance Hub ↗Nothing routed through Founder OS is used to train any AI model that benefits another customer.
"No user-submitted data is used to train any language models, nor is it shared externally or made viewable by any third party."
Founder OS is a personal cockpit. One password (set via FOUNDEROS_PASSWORD env var) gates the entire app. Sessions are HMAC-signed cookies, HttpOnly, SameSite=Lax, Secure-in-production. CSRF tokens validate every form submission. Five failed login attempts from an IP triggers a 15-minute lockout.
TLS for every connection (Let's Encrypt). At-rest encryption on the hosting volume. Role-based access controls and MFA on every infrastructure surface. API keys (Anthropic, Brave) live in environment variables, never on disk.
Every data file write — agents.json, pipeline.json, per-agent KPIs, drafts, send logs, audit log — uses a write-temp-fsync-rename pattern. A crash mid-write leaves the old file intact, never a half-written target.
Security-relevant actions (sign-in, sign-in failure, lockout, sign-out, pipeline mutations, agent run, agent delete) are written to a separate append-only NDJSON file at data/audit.log. Passwords, API tokens and request bodies are never logged.
If a data-protection incident is detected, affected parties are notified within 72 hours of discovery with the minimum context required to exercise their obligations under UK GDPR Article 33.
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Primary hosting and storage | UK (eu-west-2) |
| Anthropic | LLM API · no training on customer data | API endpoint |
| Brave Search | Web discovery (Researcher agent) | API endpoint |
| Google Workspace | Gmail/Calendar integration (founder-owned account) | EU |
| Cloudflare | Edge security / DDoS mitigation | Global edge |
| Legal name | Public Sector Analytics Limited |
| Trading as | askKira |
| Company number | 14889377 |
| ICO registration | ZB622646 |
| Data Protection Officer | dpo@askkira.com |
| Security disclosures | security@askkira.com |