Kynthar
ProductSecurityPricing
Log inRun a pair check

Compliance

Where we stand, honestly labeled.

SOC 2 Type I controls are implemented and enforced; the audit is on the 2026 roadmap. Not yet SOC 2 audited. ISO 27001 is also on the roadmap. What is live today: the full control set below, enforced on every deploy; bypasses exist for emergencies, and every bypass is logged and auditable.

SOC 2 ALIGNMENT

Five Trust Services Criteria. Where each one stands.

Each Trust Services Criterion below is mapped to the controls Kynthar has in place today. "Implemented" means the control is live and enforced. "In progress" means work remains before the audit.

SOC 2 Trust Services Criteria alignment
CriterionScopeStatusCurrent Controls
SecurityProtection against unauthorized access (logical and physical)ImplementedFORCE ROW LEVEL SECURITY on every table, MFA for production access, API key authentication with scoped permissions, 80+ deploy gates, TLS 1.2+ enforced on every endpoint.
AvailabilitySystem availability for operation and use as committedImplementedAutomated health checks, Prometheus and Alertmanager monitoring, critical-services verifier on every deploy, rolling restarts with zero-downtime target, daily encrypted backups with a 7-day point-in-time restore window.
Processing IntegritySystem processing is complete, valid, accurate, and authorizedImplementedEvery AI decision logged with prompt ID, model version, latency, and cost via the llm_calls audit table. Schema validation on every extraction. E2E fraud-scenario regression suite on every deploy.
ConfidentialityInformation designated as confidential is protected as committedImplementedAES-256 encryption at rest, tenant-isolated RLS policies, LLM providers that do not train on customer data, no cross-tenant data access. Sub-processor list published and audited.
PrivacyPersonal information collected, used, retained, and disclosed in conformity with commitmentsIn progressFull deletion on demand (30-day SLA). GDPR DPA available on request. Formal privacy policy published. Privacy-impact assessment for new data categories is on the 2026 roadmap.

POLICIES

The policies that govern how we handle your data.

Summaries of our operational policies. Full policy documents available on request to customers and prospects under NDA.

Data retention
Customer data is retained for the duration of the contract plus a 30-day grace period. Full export and permanent deletion available on request at any time, with or without an active contract. Encrypted database backups expire within the 7-day point-in-time-restore window. See the Deletion on Demand section on /security for the full process.
Access control
Role-based access control with least-privilege defaults. Multi-factor authentication required for all production access. API keys are scoped per tenant with read/write permissions. Every access is logged and attributable.
Incident response
Documented incident-response runbook with a 72-hour customer-notification SLA for any incident affecting customer data. Prometheus, Alertmanager, and automated paging ensure incidents are detected within minutes.
Vendor risk management
Sub-processors are reviewed for SOC 2 or equivalent posture before onboarding. The current sub-processor list (AWS, Google, xAI, OpenAI, Anthropic, DeepInfra, Stripe, Google SMTP, AWS SES) is published on /security and updated whenever a provider is added or removed.
Employee training
Security and data-handling training on hire and annually. Standard background checks for all employees with production access. Training records maintained.
Business continuity and disaster recovery
AWS RDS automated daily snapshots with a 7-day point-in-time restore window. Environment secrets versioned in AWS Secrets Manager. Infrastructure defined in code so a fresh rebuild from the secrets bundle completes in under 4 hours. Restore tested on a 90-day schedule; the most recent test restored production in 16 minutes.
Acceptable use
Internal acceptable-use policy governs employee access to production systems, customer data handling, and use of company resources. Violations are investigated per the incident response process.

80+

Deploy gates fire on every deploy.

Every production change passes 80+ automated gate scripts before it can ship. Schema validation, RLS policy checks, envelope drift detection, dependency audits, and deployment safety scans. Emergency bypasses exist; each one is logged and auditable.

Full security practices and testing details on the Security page.

SecurityData protectionTenant isolation, encryption, LLM commitments, and deletion.ContactTalk to usSecurity questionnaires, DPA requests, or compliance questions.
Kynthar

Procurement intelligence for manufacturers. Every finding ships with its receipt: the line, the price, the clause.

support@kynthar.com

Product
  • Product
  • How it works
  • For manufacturers
  • Pricing
  • Run a pair check
Tools
  • Tariff checker
  • Schedule a demo
  • Log in
Company
  • Why Procurement Intelligence
  • Security
  • Resources
  • Contact
Legal
  • Privacy
  • Terms
  • DPA

Not a document extractor. Not an ERP replacement.

© 2026 Kynthar, Inc. All rights reserved.