CongoSky · Khuluma Tenant 0 · closed beta

Neighbourhood safety

Speak up. Stay safe.

Khuluma is how neighbours warn each other about danger nearby: area alerts you can follow, post, and corroborate.

Khuluma · isiZulu: “to speak.” Built for safety, under fire.

Community hands gathered around a phone showing a neighbourhood safety alert, warm sunset glow on a dark background

What Khuluma is

When something is wrong on your street, people need a channel that is fast, local, and trusted. Khuluma is that channel: warnings for your area, not the whole internet.

  • Area alerts See what neighbours are reporting in the place you actually live.
  • Corroborate warnings Add your voice when you have seen the same thing. Signal over noise.
  • Invite-only areas Join through someone who vouches for you. Safety starts with who is in the room.
  • SMS opt-in Get critical alerts by text when you are not staring at a screen.

How it works

  1. Get an invite A steward or neighbour sends you in. No open sign-up on a map. Trust is deliberate.
  2. Join your area Pick the neighbourhood you belong to and follow it. One feed, one place.
  3. Post and follow alerts Members can post warnings. Everyone can read, corroborate, and stay ahead of danger.

Coming soon to your pocket

Khuluma is in closed beta on CongoSky. App store links and a public waitlist open when we are ready for the next wave.

Running on CongoSky, the sovereign cloud for Africa. Back to congosky.cloud

Technology, privacy, and security

Khuluma is built for people under real physical threat. The architecture is deliberately small: fast local alerts, a trust graph instead of an ID database, and the least sensitive data we can hold while still warning neighbours in time.

What runs underneath

CongoSky (Tenant 0) Khuluma is the first product on CongoSky: one tenant namespace on shared infrastructure, isolated by account and database scoping, not by selling your data.
API and app backend A stateless FastAPI service on Render handles sign-in, areas, alerts, corroboration, and SMS fan-out. No chat history, no message store in v0.
Auth0 (identity) Standard OIDC/OAuth2 login. You authenticate with a provider we trust; we hold session tokens, not passwords. Real names are not required to use Khuluma.
Neon (Postgres) Membership tier, vouch graph, area follows, alerts, and corroboration counts. Row-scoped per tenant. Alerts expire automatically so stale warnings drop off.
SMS delivery Optional text alerts ride a provider-agnostic seam (console in dev, production SMS gateway when enabled). Posting an alert never fails because SMS hiccuped; texts are best-effort on top of in-app reading.
This page Static HTML on Cloudflare Pages at congosky.cloud. No trackers on this landing page beyond what your browser sends to load fonts. Product analytics elsewhere use privacy-first Plausible where enabled.

What we store (and what we refuse to)

  • Stored: your account id, membership tier, who vouched for whom, which coarse areas you follow (by name, e.g. a ward or suburb), alert text, category, timestamp, optional landmark string you type, corroboration counts, and an SMS number only if you opt in.
  • Not stored: passport or national ID images, home address, precise GPS tied to you, private chat or DM history (no chat in v0), or a public map of “foreigners here.”
  • Design rule: if a server breach would make a leak more dangerous to a real person, that data does not ship. The safest record is the one we never keep.

How PII is protected

  • Phones are optional and controlled. SMS is opt-in. You can register a number for critical texts or use the app only. STOP/opt-out is honoured per number. Numbers are normalised to E.164 and used only for alert fan-out, not marketing.
  • Logs minimise exposure. Operational logs use opaque user labels, not raw phone numbers in free text. SMS attempts are audited in a dedicated log for abuse forensics and deduplication, not for profiling.
  • Deletion and anonymisation. You can purge your account. Past alerts you posted are anonymised (poster removed) so corroboration counts stay honest; your vouches are dropped.
  • AI boundary (platform-wide). CongoSky classifies and redacts personal data before it enters model context, and re-checks generated output before persistence. Khuluma v0 keeps almost no sensitive fields, so the PII surface stays small by design.

Security controls

  • Web of trust, not an ID gate. Invite-only areas. Provisional members read; full members post and vouch. Two independent vouches are required before you can warn an area or bring someone else in. Vouches are attributable and revocable.
  • Coarse areas only. Alerts name a neighbourhood you joined, not your bed. Optional landmark text is what you type, not device GPS.
  • Anti-abuse on broadcast. Only full members post. Per-poster rate caps per area limit blast spam if an account is compromised. Corroboration makes lone fakes visible.
  • HTTPS everywhere. API traffic is TLS-terminated at the edge. Session tokens are short-lived industry-standard JWTs. Provider contracts (Auth0, Neon, Render, SMS) are swappable without rewriting the product.

Closed beta. Specifications and threat model are maintained in the CongoSky/Yama engineering docs. Questions: info@congosky.cloud.