Security
Your data stays yours
Kynthar stores and analyzes your procurement data persistently. That analysis is the product. Here is exactly how we protect it, who can see it, and how you can delete it.
AI DATA HANDLING
Four commitments on how your data flows through AI
Kynthar uses frontier LLMs (Anthropic Claude, xAI Grok, others) for classification, extraction, and analysis. Every provider operates under contractual zero-retention. These are contract terms, not marketing language.
| # | Commitment | Detail |
|---|---|---|
| 1 | Your data is never used to train any AI model | Not our LLM providers' models, not ours, not anyone else's. Your procurement data is contractually excluded from any training dataset, current or future. |
| 2 | Zero retention by our LLM providers | Every LLM provider Kynthar uses operates under a contractual zero-data-retention agreement. Prompts and responses are not stored on provider servers after processing. |
| 3 | No human review of your data | No analyst at Kynthar or our LLM providers reads your documents. Automated processing only. |
| 4 | You can delete your data at any time | Full export and permanent deletion on request, with or without an active contract. |
TENANT ISOLATION
Multi-tenant isolation enforced at the database layer.
Kynthar is a multi-tenant system. Every customer's data lives in the same database. The isolation between tenants is not a feature of the application code. It is a constraint enforced by the database engine itself.
| # | Control | Detail |
|---|---|---|
| 1 | FORCE ROW LEVEL SECURITY on every multi-tenant table | Postgres RLS policies are enforced at the database engine level. There is no superuser path that bypasses RLS in the application. Every table that holds customer data carries a FORCE RLS directive. |
| 2 | Every query requires app.current_company_id before any SELECT returns rows | The database session variable must be set before any query executes. The default is NULL, which means a missing context returns zero rows, not all rows. Fail-closed by design. |
| 3 | Tenant separation enforced at the database layer, not trusted from the application | A bug in application code that forgets to scope a query cannot leak cross-tenant data. The database refuses to return rows without a valid tenant context, regardless of what the application sends. |
| 4 | Verified by a 13-table integration test suite and two dedicated migrations | The purge-tenant test suite exercises the full deletion flow against a real database across 13 tables. Migrations 0458 (RLS guards) and 0459 (purge-tenant tooling) enforce and verify the isolation boundary. |
| 5 | No customer can name another customer. Tenant IDs are non-enumerable. | Tenant identifiers use ULID format. There is no sequential numbering, no enumerable namespace, and no API that lists tenant IDs. Cross-tenant reconnaissance is structurally impossible. |
STORAGE POSTURE
Procurement intelligence requires a memory. Here is how we protect it.
Kynthar stores your documents, emails, and extracted data so it can cross-reference, detect anomalies, and compound insight over time. Persistent storage is the product. These are the controls that make it safe.
- AWS RDS Postgres (us-east-2) with AES-256 encryption at rest
- Keys managed by AWS KMS with automatic rotation. No plaintext customer data at rest anywhere in the stack.
- TLS 1.2+ enforced on every endpoint
- HTTPS required at the edge. HTTP traffic is refused at the load balancer. No TLS downgrade.
- Multi-tenant architecture, data never pooled across customers
- Each company's data is isolated by Postgres RLS policies. No shared tables, no cross-tenant joins, no aggregate queries that touch another customer's rows.
- Every insight derived from your own documents, never cross-tenant
- Anomaly baselines, vendor scores, and spend patterns are computed from your data only. No benchmarking against other customers' data.
DELETION ON DEMAND
Full export and permanent deletion, any time
No lock-in. No retention traps. If you leave, your data leaves with you and then disappears from our systems entirely.
- Request full export and permanent deletion at any time
- With or without an active contract. No lock-in, no retention periods, no exceptions.
- Deletion completes within 30 days of request
- Confirmed in writing once all data has been permanently removed from active systems.
- Encrypted backups expire on a rolling 30-day schedule
- Backups containing deleted tenant data are not restorable once they age out. No shadow copies.
- Automated tenant-purge tooling with deletion confirmation
- Every purge produces a row-count confirmation recording what was deleted, when, and by whom. The tooling is continuously tested via a 13-table rich-shape integration suite. Confirmation available to the departing customer on request.
SUB-PROCESSORS
A short, audited sub-processor list.
Your procurement document data touches AWS for storage and compute, and Anthropic and xAI for AI processing under zero-data-retention agreements. Stripe handles billing data only, Google SMTP and AWS SES handle email relay. No other third parties handle customer data.
| Provider | Role | Data Handled | Region | Compliance |
|---|---|---|---|---|
| AWS | Infrastructure (compute, storage, networking) | All customer data at rest and in transit | us-east-2 (Ohio) | compliance |
| Anthropic | LLM provider (Claude, primary) | Document text sent for processing, zero-retention | US | compliance |
| xAI | LLM provider (Grok, secondary) | Document text sent for processing, zero-retention | US | compliance |
| Stripe | Payments processor | Billing data only; no procurement documents | US | compliance |
| Google (SMTP) | Outbound email relay | Notification emails only; no procurement documents | US | compliance |
| AWS SES | Inbound email receipt | Forwarded procurement emails (text + attachments) | us-east-2 (Ohio) | compliance |
SECURITY PRACTICES
How we protect your data, day to day.
Security is not a feature we shipped once. It is a set of practices enforced on every commit, every deploy, every hire, and every vendor relationship.
- Continuous testing: 80+ deploy gates fire on every commit
- Every production change passes 80+ automated gate scripts (pre-commit and deploy-time) before it can ship. Schema validation, envelope drift, RLS policy checks, dependency audits, and deployment safety scans run on every single commit.
- Penetration testing
- Annual third-party penetration testing is on our 2026 roadmap. Current security testing is continuous via the deploy-gate suite, plus internal red-team exercises before each enterprise contract.
- Vulnerability scanning
- Container images scanned on every deploy. Dependency upgrades reviewed weekly. The dependency audit gate blocks any commit that introduces a known vulnerability.
- Multi-factor authentication
- Required for all employee access to production systems and customer data. No exceptions.
- Single sign-on
- Available on Platform contracts via SAML 2.0 or OIDC. Contact security@kynthar.com to scope.
- Incident response
- Documented runbook with a 72-hour customer-notification SLA for any incident affecting customer data. Prometheus, Alertmanager, and automated paging ensure incidents are detected within minutes.
- Employee training
- Security and data-handling training on hire and annually. All employees with production access complete training before receiving credentials.
- Background checks
- Standard background checks for all employees with production access.
- Vendor risk management
- Sub-processors reviewed for SOC 2 or equivalent posture before onboarding. Current sub-processor list visible in the table above.
COMPLIANCE POSTURE
Honestly labeled. Live controls first, audits second.
SOC 2 Type I is in progress. ISO 27001 is on the roadmap. What is live today: the full control set below, enforced on every deploy.
- SOC 2 Type I (in progress)
- ISO 27001 (on roadmap)
- GDPR DPA available on request
- AWS SOC 2 / ISO 27001 at infra layer
- Anthropic SOC 2 Type II at LLM layer
- AES-256 encryption at rest
- TLS 1.2+ in transit
- Row-level tenant isolation (RLS)
- 35-day backup retention with point-in-time restore
- 72-hour incident notification SLA
RESPONSIBLE DISCLOSURE
Found a vulnerability? Tell us.
We welcome reports from security researchers. Send a brief description and reproduction steps to security@kynthar.com.
- Safe harbor
- We will not pursue legal action against researchers who follow responsible-disclosure practices: report privately, allow reasonable time to remediate (default 90 days), avoid privacy violations or service degradation.
- Acknowledgment
- Researchers who report a valid vulnerability are credited on this page (with consent) and acknowledged in our security advisories.
- Machine-readable policy
- Our security.txt file is published at /.well-known/security.txt per RFC 9116.
SECURITY ADVISORIES
Transparency when it matters most.
We post timestamped statements on this page when significant security events occur in our supply chain: LLM provider incidents, infrastructure provider incidents, dependency CVEs affecting Kynthar. Past statements remain visible to preserve the audit trail.
No active security advisories as of 2026-05-20.
THIRD-PARTY SECURITY GRADES
Independent, verifiable scores.
These grades are issued by third-party scanning services. Click the links to verify against the live reports.
| Scanner | Provider | Grade | What It Tests | Verify |
|---|---|---|---|---|
| SSL Labs | Qualys SSL Labs | grade | TLS configuration, certificate chain, protocol support | ssllabs.com/ssltest/analyze.html?d=kynthar.com |
| Security Headers | securityheaders.com | grade | HTTP security headers (CSP, HSTS, X-Frame-Options). Improvement scheduled: adding Content-Security-Policy, Permissions-Policy, and X-Content-Type-Options headers. | securityheaders.com/?q=kynthar.com |
Security questionnaires, SIG-Lite responses, and responsible disclosure reports welcome. We respond within one business day.