Kelevra public page
Security, privacy and governance evidence
Why this page exists
Kelevra does not ask people to believe claims without evidence.
This page is where Kelevra publishes the facts that help customers, security reviewers, privacy reviewers, regulators, and partners judge us.
Current state
Kelevra is an early-stage South African company.
Axiom is in active development.
Kelevra does not currently claim SOC 2 certification, ISO 27001 certification, PCI certification, or production scale that has not been earned.
When a certification, audit, penetration test, or formal review exists, this page must say what it covers, who performed it, and when it was done.
Company identity
Company: Kelevra Solutions (Pty) Ltd
CIPC registration: 2025/946235/07
Registered address: 6 Triton Way, Atlantic Beach Estate, Melkbosstrand, Western Cape, 7441
Country: South Africa
Product: Axiom
Product description: programmable insurance infrastructure
Company website: https://kelevra.com/
Public policies
- Privacy Notice: https://kelevra.com/privacy
- Terms of Service: https://kelevra.com/terms
- Help and contact: https://kelevra.com/help
- Data and privacy rights: https://kelevra.com/data
- Security contact: security@kelevra.com
- Security.txt: https://kelevra.com/.well-known/security.txt
Vulnerability reporting
Policy URL: https://kelevra.com/evidence#vulnerability-reporting
Send security reports to security@kelevra.com.
Please include:
- the affected system or URL;
- what you found;
- steps to reproduce it;
- the possible impact;
- whether any data was accessed;
- your contact details if you want a reply.
Do not access data that is not yours.
Do not disrupt systems.
Do not publicly disclose a live issue before Kelevra has had a fair chance to investigate.
Kelevra will treat good-faith security reports seriously.
Kelevra does not intend to threaten legal action against good-faith reports that follow these rules and avoid harm.
Data handling
Kelevra handles its own company data, website data, contact-channel data, security logs, contract records, and operational records.
Axiom tenant data belongs to the tenant. Kelevra is the engine provider. Tenants own their insurance data and their relationship with affected people.
Security controls
Kelevra's current operating discipline is built around:
- least-privilege access;
- secret management;
- audit trails;
- code review;
- tested changes;
- infrastructure-as-code where practical;
- logging and monitoring;
- security contact routing;
- clear separation between Kelevra company data and tenant-owned data.
This list is not a certification. It is the discipline Kelevra applies to systems it runs.
Subprocessors and providers
Kelevra uses service providers to host, secure, route, and operate its systems.
This page must publish the current provider list before external customers need it for procurement or data-protection review.
The list must say:
- provider name;
- purpose;
- data handled;
- country or hosting region where known;
- whether the provider is used for Kelevra company operations, Axiom product operations, or both.
Current provider list status: not yet published. Kelevra will publish it before external procurement or data-protection review requires it.
Incident and status evidence
Status page: planned at status.kelevra.com.
When status reporting is live, this page should link to:
- current status;
- incident history;
- maintenance notices;
- post-incident summaries where publication is appropriate.
Governance evidence
Kelevra records important decisions internally in the Axiom repository.
Where a public claim depends on a decision record, this page should link to the relevant public record if it is public, or provide a plain-English summary if the source record is private.
What is not ready yet
The following items must not be claimed until they exist:
- SOC 2 report;
- ISO 27001 certificate;
- external penetration-test report;
- public subprocessor register;
- DPA template;
- uptime SLO history;
- formal data-residency statement;
- registered Information Officer details, if publication is required;
- PAIA manual;
- current provider list.
When any item becomes real, the page should show the date, scope, and evidence.