Responsible disclosure
Last updated: 1 March 2026
If you find a security vulnerability in Klai, we want to know. This page explains how to report it and what happens next.
How to report
Email security@getklai.com. Include:
- What you found
- Steps to reproduce it
- What impact you think it could have
We will confirm receipt within five business days.
What we commit to
- Confirm your report within five business days
- Give you an honest timeline for a fix
- Keep your report confidential
- Not take legal action against you for reports that follow these guidelines
- Credit you in our release notes if you want it
What we ask of you
- Report as soon as you find something
- Do not access, modify, or copy data beyond what is necessary to demonstrate the issue
- Do not run denial-of-service tests or anything that disrupts the service for others
- Do not use social engineering against Klai staff or customers
- Keep the vulnerability confidential until we have fixed it
Scope
Anything on getklai.com and the Klai platform. Not sure whether something is in scope? Ask before testing.
Out of scope: third-party services we use. If you find a vulnerability in Hetzner, Mollie, or Mistral infrastructure, report it to them directly.
No bug bounty
We do not have a bug bounty programme. We cannot offer payment. We can offer a genuine thank you, optional credit in our release notes, and the knowledge that you helped make privacy infrastructure a bit more solid.
Contact
Klai B.V.
Lubeckweg 2
9723HE Groningen
The Netherlands
E-mail: security@getklai.com
This document is published under CC BY 4.0. You are free to adapt it for your own organisation. Credit: Klai B.V.