Security @ Kahana

Where elegance meets security

Oasis is built with robust privacy and security as core principles, though it's important to understand that no system can guarantee absolute security. We continuously test and enhance Oasis to proactively address emerging digital threats, such as prompt injection attacks and other evolving risks (as an illustration - all data sent to AI partners undergoes sanitization and validation to reduce the risk of prompt injection and similar security vulnerabilities). Your privacy isn't a feature—it's the foundation everything else is built on.

Security @ Kahana

Effective DateJanuary 1st, 2026

Kahana Bounty Program

At Kahana, we care deeply about safeguarding the security and privacy of everyone who uses our products. We also recognize the security research community's invaluable role in this mission. If you spot a vulnerability, we want to hear about it so we can make things right as soon as possible. Your work helps us build a safer, more secure browsing experience for all.

How to Submit your Research

If you believe you've identified a security or privacy issue that affects Kahana products, services, or software, please report it to us through our contact form.

Keeping Oasis Secure

Your browser is a portal to the whole internet, and everything in it. So ensuring your browser is airtight, and secure as it can possibly be, is of incredible importance to us.

We're a small (but mighty) team working to ensure you never have to worry that your data is being misused, misappropriated, or sold in ways you're not aware of.

But don't take our word for it. Below, we've listed everything we can think of that you might want to know about our security practices. For more on privacy, click here.

And if you have any questions, please reach out to us through our contact form. We're all ears!

Outside Security Assessments

Our security team conducts regular reviews and trainings across a wide range of different systems:

  • Corporate systems
  • Infrastructure
  • Build and tooling systems
  • Full codebase audits

Browser Engine

Building a browser from the ground up is really hard, which is why Oasis is built on Firefox — the same engine that powers Mozilla Firefox. So, Oasis benefits from the same foundation that makes Firefox reliable and secure. But since Firefox is open source, we can augment it to further protect your privacy.

As for security, Firefox is constantly updated with security fixes for new vulnerabilities, and we take staying up to date with the newest version of Firefox very seriously. We even have a dedicated team of Firefox engineers! Our upgrade process guarantees that Oasis is always using the latest version of Firefox within 48 hours of a new version or hotfix being released.

Privacy-Focused Firefox Configuration

  • Telemetry and data collection disabled
    • No telemetry data is sent to Mozilla or any third parties
    • No crash reports are automatically submitted
    • No usage statistics or performance data is collected
  • Enhanced privacy protections
    • No session fingerprinting
    • No logging of your browsing activities (creating bookmarks, searching, autofills, links you click, etc.)
    • Enhanced tracking protection enabled by default
  • Firefox Sync and account integration disabled
  • Reporting Observers and Reporting API are disabled
  • Network logging to file is disabled

Infrastructure

Oasis uses Supabase for user authentication and database storage. All data stored in Supabase is encrypted-at-rest by default.

Direct access to any production data is limited to a few select teams based on their roles. Access is logged and reviewed at regular intervals. We store as little PII as possible and routinely audit our data to ensure we're not storing anything sensitive. Please see the privacy policy for a list of what user data is stored.

Logging & Analytics

This browser uses privacy‑preserving analytics to understand product usage patterns without collecting information that directly identifies you.

Overview of analytics

Analytics are used to answer questions like "Which features are used most?" and "Is the AI assistant working reliably?", not to profile individual people.

Data is collected in aggregate and tied to pseudonymous identifiers, not to your name, email address, or browsing history.

What we collect

  • Technical information about the app, such as browser version, operating system type (for example, Windows, macOS, Linux), and basic device characteristics.
  • High‑level usage events, such as opening the AI assistant, issuing a command, creating or updating a tab group, starting or ending a browser session, and similar feature interactions.
  • Simple counters and categories (for example, how many tabs were added to a group, or whether an action succeeded), not the actual content you are viewing.

How AI assistant usage is logged

When you use the AI assistant, events may record that a command was issued and its general type (for example, navigation, search, or tab organization), along with whether it completed successfully.

The actual text of your prompt, URLs, page titles, and page content are not sent to analytics; where needed, only abstract labels like "search engine" or "document site" are recorded.

What we do not collect

  • No personal identifiers such as your name, email address, phone number, or account username are sent to analytics.
  • No full URLs, page titles, page content, passwords, credit card numbers, or other sensitive information are logged in analytics events.
  • Private or incognito browsing modes do not send analytics data and do not write analytics cookies or local storage.

Identifiers and profiles

Analytics events are associated with a random identifier so that we can understand usage patterns across sessions without knowing who you are.

If the browser supports optional sign‑in, the internal account identifier is never stored in a human‑readable form in analytics and is not used to contact you or to build marketing profiles.

Cookies and network traffic

Analytics may use cookies or local storage to remember a pseudonymous analytics ID, so that repeated sessions from the same installation can be analyzed together.

Analytics requests are sent over encrypted connections, and may be routed through controlled endpoints to reduce exposure of raw data to third parties.

Your choices and controls

On first run, you can choose whether to send anonymous usage statistics to help improve the browser; analytics are disabled by default until you opt in where required by law.

You can change this choice at any time in the browser settings by toggling the option for sending anonymous usage statistics; turning it off stops future analytics collection for that installation.

FAQ

  • Why does Oasis require an account to use AI features?
    Technically, you don't need to create an account to use the browser itself. However, to use AI features with the browser, you need an account to track token usage for the AI assistant. This allows us to manage your AI credits and ensure fair usage of the AI capabilities.
  • Are you SOC 2 compliant?

    We adhere to standards for reliable and secure technology. Our products are engineered to comply with important international regulations, including privacy protection, AI usage, and digital service requirements established by US and EU authorities (such as the EU AI Act, GDPR, and DSA). To demonstrate our dedication to exceptional security practices, we are pursuing established security certifications including ISO 27001 and SOC 2. Additionally, our security team is committed to protecting your information.

    Are you SOC 2 compliant today?
    • The service is not currently SOC 2 audited, but the team is designing systems, processes, and documentation with SOC 2 controls in mind from the start.
    • As work progresses, the intent is to move toward a formal SOC 2 examination by an independent auditor once the controls have been operating consistently for a sufficient period.
    What are you doing to prepare for SOC 2?
    • Core infrastructure (Supabase, AWS, and related backend services) is being managed with strong access control, encryption, change management, and monitoring practices, which are key elements of SOC 2.
    • Third-party providers such as Gemini, Deepgram, Mixpanel, and Stripe are being reviewed and governed as critical vendors, with clear documentation of what data they receive and why.
    How does this affect my data?
    • Telemetry and analytics are intentionally limited to pseudonymous, privacy-preserving events, avoiding sensitive content like full URLs, page text, or personal identifiers whenever possible.
    • Authentication, payments, and AI features are designed so that sensitive data (like passwords and payment details) is handled by specialized, security-focused providers rather than custom systems.
    What can users expect next?
    • As the security and compliance program matures, more detailed information will be shared here about specific controls, independent assessments, and, when completed, any SOC 2 reports that can be made available under NDA to enterprise customers.
    • This page will be updated over time to reflect progress, including clearer timelines and scope once an audit firm and target SOC 2 report type (Type I or Type II) are selected.
  • How will you monetize without selling user data?
    We don't plan to ever monetize by selling data. We currently don't monetize with ads. We currently monetize from paid subscriptions which allow users to leverage AI features. We are also coming out with Bring Your Own Key features, which will let you use AI features without paying a subscription to Kahana, but by using an existing subscription to services like Gemini or Anthropic, so you can use your own API key.
  • Does Oasis come with a built in ad-blocker?
    Oasis comes with Firefox's built-in Enhanced Tracking Protection, which blocks many trackers and ads by default. Additionally, users can install uBlock Origin from the Firefox Add-ons store for additional ad-blocking capabilities. We currently don't have a custom built ad-blocking but are looking at building further member protections into Oasis in the future. Since we're using Firefox under the hood, any ad-blockers or privacy tooling that is available in the Firefox Add-ons store works with Oasis.
  • Can I configure multi-factor authentication (MFA) for my Oasis account?
    Multi-factor authentication is not currently available for Oasis accounts, but we're actively working on adding this important security feature to provide additional account protection.