Security Practices

Cloud Infrastructure

• Amazon Web Services (AWS): We host on AWS, leveraging their SOC 2 Type II, ISO 27001, and PCI DSS certified data centers
• Private VPC: All services run within a private Virtual Private Cloud with no direct public internet access to backend systems
• Network Segmentation: Strict network boundaries separate public-facing services from internal databases and processing systems

Container Isolation

• Docker Containerization: Each service runs in isolated containers, preventing cross-contamination between workloads
• Minimal Attack Surface: Containers use minimal base images with only required dependencies
• Regular Updates: Container images are rebuilt regularly with the latest security patches

Infrastructure as Code

• Reproducible Deployments: All infrastructure is defined as code, ensuring consistent and auditable configurations
• Version Control: Infrastructure changes are tracked, reviewed, and can be rolled back

Encryption in Transit

• TLS 1.2+: All data transmitted between your browser and our servers is protected with TLS 1.2 or higher
• HTTPS Only: We enforce HTTPS on all endpoints with HSTS headers preventing downgrade attacks
• Certificate Management: TLS certificates are automatically rotated and managed through trusted certificate authorities

Encryption at Rest

• AES-256 Encryption: All stored data is encrypted using AES-256 encryption
• AWS Key Management: Encryption keys are managed through AWS KMS with automatic key rotation
• Encrypted Backups: All database backups are encrypted before being stored

Principle of Least Privilege

• Minimal Permissions: Every service, user, and system component has only the minimum permissions required
• Regular Access Reviews: Access permissions are reviewed regularly and revoked when no longer needed
• Just-in-Time Access: Administrative access to production requires explicit approval and is time-limited

Role-Based Access Control (RBAC)

• Defined Roles: User permissions are organized into clearly defined roles (Admin, User, Viewer)
• Granular Permissions: Permissions can be customized based on specific organizational needs
• Audit Trail: All permission changes are logged and auditable

Row-Level Security (RLS)

• Database-Level Enforcement: RLS policies are enforced at the database level, ensuring users can only access their organization’s data
• Defense in Depth: Even if application-level controls were bypassed, database policies prevent unauthorized access

Password Security

• bcrypt Hashing: Passwords are hashed using bcrypt with a high work factor
• No Plaintext Storage: Passwords are never stored in plaintext or reversible formats
• Password Requirements: We enforce minimum password complexity requirements

Session Security

• Secure Session Tokens: Session tokens are cryptographically random and sufficiently long
• HTTP-Only Cookies: Session cookies are marked HTTP-only, preventing JavaScript access
• Secure Flag: Cookies are transmitted only over HTTPS connections
• Session Expiration: Sessions expire after periods of inactivity

Account Protection

• Rate Limiting: Login attempts are rate-limited to prevent brute-force attacks
• Account Lockout: Accounts are temporarily locked after multiple failed login attempts
• Suspicious Activity Alerts: Users are notified of login attempts from new devices or locations

Tenant Separation

• Company ID Enforcement: Every data record includes a company identifier, and all queries are scoped to the authenticated user’s org
• Application-Level Checks: Business logic validates tenant context on every operation
• Database-Level Enforcement: RLS policies provide an additional layer of tenant isolation

Resource Isolation

• Isolated Processing: Document processing jobs are isolated per tenant
• Separate Storage Paths: Uploaded documents are stored in tenant-specific paths
• No Cross-Tenant Access: Under no circumstances can one customer access another’s data

Structured Logging

• JSON Format: All logs are output in structured JSON format for consistent parsing
• Correlation IDs: Requests are tracked with unique identifiers across all components
• Comprehensive Coverage: We log security-relevant events including auth, authorization, and data access

Audit Trails

• User Actions: User activities are logged for audit
• Administrative Changes: Configuration and permission changes are tracked
• Retention: Audit logs are retained for compliance and investigation purposes

Alerting

• Real-Time Monitoring: Systems are monitored 24/7 for anomalies and security events
• Automated Alerts: Critical security events trigger immediate notifications
• Incident Response: Established procedures for responding to security alerts

Response Plan

• Documented Procedures: We have documented incident response procedures for various scenarios
• Defined Roles: Clear responsibilities for detection, containment, eradication, and recovery
• Regular Testing: Procedures are tested and updated regularly

Communication

• Timely Notification: In the event of an incident affecting your data, we will notify you promptly
• Transparency: We provide clear communication about the nature, scope, and remediation

Security Contact: Report security concerns to security@kynthar.com.

SOC 2-Aligned Controls

• Security Controls: We have implemented security controls aligned with SOC 2 requirements
• Trust Principles: Our controls address Security, Availability, and Confidentiality
• Continuous Improvement: We regularly review and enhance our controls to meet industry standards

GDPR Compliance

• Data Subject Rights: We support rights to access, rectification, erasure, and portability
• Data Processing Agreements: We offer DPAs for customers who require them
• Privacy by Design: Privacy considerations are built into our development process

CCPA Compliance

• California Consumer Rights: We comply with CCPA requirements
• Do Not Sell: We do not sell personal information
• Transparency: Clear disclosure of data collection and usage practices

Reporting Vulnerabilities

• Contact: Report vulnerabilities to security@kynthar.com
• Response Time: We aim to acknowledge reports within 48 hours
• Coordination: We work with researchers to understand and remediate issues before public disclosure

Safe Harbor

• Good Faith Research: We will not take legal action against researchers acting in good faith
• Responsible Disclosure: We ask that vulnerabilities not be publicly disclosed until we have had reasonable time to address them

When Reporting: Please include steps to reproduce, potential impact, and any suggested remediation.

Ongoing Practices

• Security Assessments: We conduct security assessments as part of our development process
• Dependency Scanning: Automated scanning for vulnerabilities in third-party dependencies
• Security Training: Our team receives ongoing security awareness training
• Industry Best Practices: We stay current with evolving security standards and threats