Trust Center

Security, Data Boundaries, and Operational Accountability

This page explains how Kyra protects operational data, what Kyra stores, what Kyra does not store, and how workspace owners can enforce stronger controls. It is intended for owners, admins, and technical leads evaluating governance maturity before deployment.

Authentication and Access

Kyra uses Roblox OAuth for account identity and workspace-scoped permission checks for in-product authorization. Access to high-impact actions (for example ownership transfer) is restricted to owner-level workflows and explicit confirmation steps.

Workspace permissions are role-driven.
Membership can be revalidated against Roblox group role context.
Critical actions can require additional signoff.

Ingest Security

Roblox telemetry ingestion is token-protected and can be hardened with nonce/timestamp checks, request-size limits, and rate controls. Workspace owners can enforce stricter validation to reduce spoofing and replay risk.

Bearer ingest token validation per workspace.
Optional timestamp + nonce replay protection.
Rate limiting and event count caps per request.
Group/rank security filters when enabled.

Auditability

Kyra records operational events needed for accountability and review. Leadership actions can be traced in audit logs, notifications, and export workflows so teams can explain what changed, when, and by whom.

Workspace-level audit logs for key actions.
Configurable notification/event trail.
Export support for reporting and governance review.

Data Handling Boundaries

Kyra is built for operational analytics and workflow state, not for unrestricted content collection. Workspace owners choose which custom telemetry fields are accepted, and unnecessary keys should stay disabled.

Kyra stores operational metrics required for product features (sessions, minutes, assignments, LOA state, shift metadata).
Kyra does not store raw in-game chat logs as message content.
Data deletion requests are available to users and processed through admin review workflows.

Full policy language is published in the Privacy Policy and Terms of Service.

Owner Governance Checklist

1. Access Policy

Define workspace roles and map Roblox ranks before enabling broad invites.

2. Ingest Hardening

Enable replay controls and keep token rotation procedures documented.

3. Retention Rules

Set retention windows based on operational needs and legal obligations.

4. Incident Routine

Use status and audit records for clear incident communication and postmortem follow-up.

Reference Pages

Support and Security Reporting

For technical support and security-sensitive reports, use discord.gg/FBGbM2B9BH or email [email protected]. Include reproducible details and avoid sharing private secrets (tokens, session cookies, or raw credentials).

If an incident affects service availability, updates are published on Status with maintenance windows and resolution notes.