Compliance
Where we stand, honestly labeled.
SOC 2 Type I controls are implemented and enforced; the audit is on the 2026 roadmap. Not yet SOC 2 audited. ISO 27001 is also on the roadmap. What is live today: the full control set below, enforced on every deploy; bypasses exist for emergencies, and every bypass is logged and auditable.
SOC 2 ALIGNMENT
Five Trust Services Criteria. Where each one stands.
Each Trust Services Criterion below is mapped to the controls Kynthar has in place today. "Implemented" means the control is live and enforced. "In progress" means work remains before the audit.
| Criterion | Scope | Status | Current Controls |
|---|---|---|---|
| Security | Protection against unauthorized access (logical and physical) | Implemented | FORCE ROW LEVEL SECURITY on every table, MFA for production access, API key authentication with scoped permissions, 80+ deploy gates, TLS 1.2+ enforced on every endpoint. |
| Availability | System availability for operation and use as committed | Implemented | Automated health checks, Prometheus and Alertmanager monitoring, critical-services verifier on every deploy, rolling restarts with zero-downtime target, daily encrypted backups with a 7-day point-in-time restore window. |
| Processing Integrity | System processing is complete, valid, accurate, and authorized | Implemented | Every AI decision logged with prompt ID, model version, latency, and cost via the llm_calls audit table. Schema validation on every extraction. E2E fraud-scenario regression suite on every deploy. |
| Confidentiality | Information designated as confidential is protected as committed | Implemented | AES-256 encryption at rest, tenant-isolated RLS policies, LLM providers that do not train on customer data, no cross-tenant data access. Sub-processor list published and audited. |
| Privacy | Personal information collected, used, retained, and disclosed in conformity with commitments | In progress | Full deletion on demand (30-day SLA). GDPR DPA available on request. Formal privacy policy published. Privacy-impact assessment for new data categories is on the 2026 roadmap. |
POLICIES
The policies that govern how we handle your data.
Summaries of our operational policies. Full policy documents available on request to customers and prospects under NDA.
- Data retention
- Customer data is retained for the duration of the contract plus a 30-day grace period. Full export and permanent deletion available on request at any time, with or without an active contract. Encrypted database backups expire within the 7-day point-in-time-restore window. See the Deletion on Demand section on /security for the full process.
- Access control
- Role-based access control with least-privilege defaults. Multi-factor authentication required for all production access. API keys are scoped per tenant with read/write permissions. Every access is logged and attributable.
- Incident response
- Documented incident-response runbook with a 72-hour customer-notification SLA for any incident affecting customer data. Prometheus, Alertmanager, and automated paging ensure incidents are detected within minutes.
- Vendor risk management
- Sub-processors are reviewed for SOC 2 or equivalent posture before onboarding. The current sub-processor list (AWS, Google, xAI, OpenAI, Anthropic, DeepInfra, Stripe, Google SMTP, AWS SES) is published on /security and updated whenever a provider is added or removed.
- Employee training
- Security and data-handling training on hire and annually. Standard background checks for all employees with production access. Training records maintained.
- Business continuity and disaster recovery
- AWS RDS automated daily snapshots with a 7-day point-in-time restore window. Environment secrets versioned in AWS Secrets Manager. Infrastructure defined in code so a fresh rebuild from the secrets bundle completes in under 4 hours. Restore tested on a 90-day schedule; the most recent test restored production in 16 minutes.
- Acceptable use
- Internal acceptable-use policy governs employee access to production systems, customer data handling, and use of company resources. Violations are investigated per the incident response process.
80+
Deploy gates fire on every deploy.
Every production change passes 80+ automated gate scripts before it can ship. Schema validation, RLS policy checks, envelope drift detection, dependency audits, and deployment safety scans. Emergency bypasses exist; each one is logged and auditable.
Full security practices and testing details on the Security page.