Compliance
Where we stand, honestly labeled.
SOC 2 Type I audit is in progress. ISO 27001 is on the roadmap. What is live today: the full control set below, enforced on every deploy, with no exceptions. Not yet SOC 2 audited.
SOC 2 ALIGNMENT
Five Trust Services Criteria. Where each one stands.
SOC 2 Type I audit is on the 2026 roadmap. Below is each Trust Services Criterion mapped to the controls Kynthar has in place today. "Implemented" means the control is live and enforced. "In progress" means work remains.
| Criterion | Scope | Status | Current Controls |
|---|---|---|---|
| Security | Protection against unauthorized access (logical and physical) | status | FORCE ROW LEVEL SECURITY on every table, MFA for production access, API key authentication with scoped permissions, 80+ deploy gates, TLS 1.2+ enforced on every endpoint. |
| Availability | System availability for operation and use as committed | status | Automated health checks, Prometheus and Alertmanager monitoring, critical-services verifier on every deploy, rolling restarts with zero-downtime target, 35-day backup retention with point-in-time restore. |
| Processing Integrity | System processing is complete, valid, accurate, and authorized | status | Every AI decision logged with prompt ID, model version, latency, and cost via the llm_calls audit table. Schema validation on every extraction. E2E fraud-scenario regression suite on every deploy. |
| Confidentiality | Information designated as confidential is protected as committed | status | AES-256 encryption at rest, tenant-isolated RLS policies, zero-retention LLM provider agreements, no cross-tenant data access. Sub-processor list published and audited. |
| Privacy | Personal information collected, used, retained, and disclosed in conformity with commitments | status | Full deletion on demand (30-day SLA). GDPR DPA available on request. Formal privacy policy published. Privacy-impact assessment for new data categories is on the 2026 roadmap. |
POLICIES
The policies that govern how we handle your data.
Summaries of our operational policies. Full policy documents available on request to customers and prospects under NDA.
- Data retention
- Customer data is retained for the duration of the contract plus a 30-day grace period. Full export and permanent deletion available on request at any time, with or without an active contract. Encrypted backups expire on a rolling 30-day schedule. See the Deletion on Demand section on /security for the full process.
- Access control
- Role-based access control with least-privilege defaults. Multi-factor authentication required for all production access. API keys are scoped per tenant with read/write permissions. Every access is logged and attributable.
- Incident response
- Documented incident-response runbook with a 72-hour customer-notification SLA for any incident affecting customer data. Prometheus, Alertmanager, and automated paging ensure incidents are detected within minutes.
- Vendor risk management
- Sub-processors are reviewed for SOC 2 or equivalent posture before onboarding. The current sub-processor list (AWS, Anthropic, xAI, Stripe, Google SMTP, AWS SES) is published on /security and updated whenever a provider is added or removed.
- Employee training
- Security and data-handling training on hire and annually. Standard background checks for all employees with production access. Training records maintained.
- Business continuity and disaster recovery
- AWS RDS automated backups with 35-day retention and point-in-time restore. EBS snapshots for compute volumes. Infrastructure defined in code so a fresh region rebuild from the secrets bundle completes in under 4 hours. Tested quarterly.
- Acceptable use
- Internal acceptable-use policy governs employee access to production systems, customer data handling, and use of company resources. Violations are investigated per the incident response process.
82
Deploy gates fire on every commit.
Every production change passes 82 automated gate scripts before it can ship. Schema validation, RLS policy checks, envelope drift detection, dependency audits, and deployment safety scans. No human can skip them.
Full security practices and testing details on the Security page.