Kill One MeetingKill One Meeting

Security

Last updated: February 2026

Security is foundational to Kill One Meeting. We protect your data with industry-standard practices and a privacy-first approach.

Infrastructure

Hosting

  • EU-based: All data is stored and processed within the European Union
  • SOC 2 & ISO 27001: Our infrastructure provider maintains industry-standard compliance certifications

Encryption

  • In transit: All data is encrypted using TLS
  • At rest: All stored data is encrypted
  • Secrets: API keys and tokens are stored in a dedicated secrets manager

Database

  • Backups: Automated daily backups
  • Access: Encrypted connections required
  • Credentials: Strong, randomly generated passwords

Authentication

Passwordless Authentication

Kill One Meeting uses magic link authentication. This means:

  • No passwords to steal: We don't store passwords, so there's nothing to leak in a breach
  • Email verification: Every login requires access to your email
  • Time-limited links: Magic links expire after 15 minutes
  • Single use: Each link can only be used once

Session Security

  • Secure tokens: Signed, httpOnly cookies for session management
  • Short-lived access: Sessions expire automatically
  • Token rotation: Refresh tokens are rotated on each use
  • Logout: Full session invalidation on logout

Integrations

Calendar Integration

  • OAuth 2.0: Industry-standard authorization
  • Read-only access: We request minimal permissions — only read access to calendar events
  • No content access: We don't access meeting descriptions, attachments, or recordings
  • Revocable: You can disconnect at any time from your settings

Messaging Integration

  • OAuth 2.0: Secure workspace authorization
  • Minimal scopes: Only permissions needed to send rating prompts and receive responses
  • No message access: We cannot read your channels, private messages, or files
  • Revocable: Disconnect anytime from your settings

Data Practices

What We Store

  • Meeting metadata (title, time, duration, attendees)
  • Rating scores (1-5) and optional comments
  • Experiment configurations and outcomes
  • Account information (email, team settings)

What We Never Store

  • Meeting content, descriptions, or agendas
  • Video or audio recordings
  • Attached documents or files
  • Slack messages or channel content
  • Passwords (we use passwordless auth)

Logging and Monitoring

  • No PII in logs: Personal identifiable information is never logged
  • Sanitized output: All logging goes through sanitization to prevent data leakage
  • No token logging: Authentication tokens, refresh tokens, and API keys are never logged

Development Practices

  • Security reviews: Code changes reviewed for security implications
  • Dependency monitoring: Regular updates to address vulnerabilities
  • Least privilege: Each component has only the permissions it needs
  • Input validation: All user input is validated and sanitized

Incident Response

In the event of a security incident, we will:

  • Investigate and contain the incident immediately
  • Notify affected customers within 48 hours (or as required by law)
  • Provide details about what data was affected
  • Take corrective action to prevent recurrence

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly:

  • Email: hello@killonemeeting.com with "Security" in the subject line
  • Include details about the vulnerability and steps to reproduce
  • Give us reasonable time to address the issue before public disclosure

We appreciate security researchers who help us keep our users safe.

Questions

For security-related questions, contact us at: hello@killonemeeting.com