Security
Your data stays yours
Kynthar stores and analyzes your procurement data persistently. That analysis is the product. Here is exactly how we protect it, who can see it, and how you can delete it.
AI DATA HANDLING
Four commitments on how your data flows through AI
Kynthar uses frontier LLMs (Google Gemini, xAI Grok, and others) for classification, extraction, and analysis. Every provider processes your data only to serve our API requests, under enterprise API terms that prohibit training on customer data.
| # | Commitment | Detail |
|---|---|---|
| 1 | Your data is never used to train any AI model | Kynthar never trains models on your data, and our LLM providers' enterprise API terms prohibit using customer API data to train their models. |
| 2 | Providers process your data only to serve our requests | Prompts and responses are used solely to return results to Kynthar, under each provider's enterprise API terms. Any transient retention is governed by those terms and is never used for training. |
| 3 | No human review of your data at Kynthar | Document processing is fully automated. No Kynthar analyst reads your documents. |
| 4 | You can delete your data at any time | Full export and permanent deletion on request, with or without an active contract. |
TENANT ISOLATION
Multi-tenant isolation enforced at the database layer.
Kynthar is a multi-tenant system. Every customer's data lives in the same database. The isolation between tenants is not a feature of the application code. It is a constraint enforced by the database engine itself.
| # | Control | Detail |
|---|---|---|
| 1 | FORCE ROW LEVEL SECURITY on every multi-tenant table | Postgres RLS policies are enforced at the database engine level. There is no superuser path that bypasses RLS in the application. Every table that holds customer data carries a FORCE RLS directive. |
| 2 | Every query requires app.current_company_id before any SELECT returns rows | The database session variable must be set before any query executes. The default is NULL, which means a missing context returns zero rows, not all rows. Fail-closed by design. |
| 3 | Tenant separation enforced at the database layer, not trusted from the application | A bug in application code that forgets to scope a query cannot leak cross-tenant data. The database refuses to return rows without a valid tenant context, regardless of what the application sends. |
| 4 | Verified by a 13-table integration test suite and two dedicated migrations | The purge-tenant test suite exercises the full deletion flow against a real database across 13 tables. Migrations 0458 (tenant-purge cascade foreign-key coverage across every customer-data table) and 0459 (deferrable audit-log foreign keys so tenant purges complete cleanly) enforce and verify the deletion boundary. |
| 5 | No customer can name another customer. Tenant IDs are non-enumerable. | Tenant identifiers use ULID format. There is no sequential numbering, no enumerable namespace, and no API that lists tenant IDs. Cross-tenant reconnaissance is structurally impossible. |
STORAGE POSTURE
Procurement intelligence requires a memory. Here is how we protect it.
Kynthar stores your documents, emails, and extracted data so it can cross-reference, detect anomalies, and compound insight over time. Persistent storage is the product. These are the controls that make it safe.
- AWS RDS Postgres (us-east-2), AES-256 encrypted at rest
- Database storage is encrypted at rest with AES-256, keyed and rotated by AWS KMS. Point-in-time restore is enabled.
- Document storage in AWS S3 (us-east-2), AES-256 encrypted
- Original and processed documents are encrypted at rest with AES-256 server-side encryption (SSE-S3). No customer document is stored unencrypted.
- TLS 1.2+ enforced on every endpoint
- HTTPS required at the edge. HTTP traffic is refused at the load balancer. No TLS downgrade.
- Multi-tenant architecture, data never pooled across customers
- Each company's data is isolated by Postgres RLS policies. No shared tables, no cross-tenant joins, no aggregate queries that touch another customer's rows.
- Every insight derived from your own documents, never cross-tenant
- Anomaly baselines, vendor scores, and spend patterns are computed from your data only. No benchmarking against other customers' data.
DELETION ON DEMAND
Full export and permanent deletion, any time
No lock-in. No retention traps. If you leave, your data leaves with you and then disappears from our systems entirely.
- Request full export and permanent deletion at any time
- With or without an active contract. No lock-in, no retention periods, no exceptions.
- Deletion completes within 30 days of request
- Confirmed in writing once all data has been permanently removed from active systems.
- Encrypted backups age out on a fixed schedule
- Database backups expire within the 7-day point-in-time restore window; stored document versions expire within 90 days. Backups containing deleted tenant data are not restorable once they age out.
- Automated tenant-purge tooling with deletion confirmation
- Every purge produces a row-count confirmation recording what was deleted, when, and by whom. The tooling is continuously tested via a 13-table rich-shape integration suite. Confirmation available to the departing customer on request.
SUB-PROCESSORS
A short, audited sub-processor list.
Your procurement document data touches AWS for storage and compute; Google, xAI, OpenAI, and Anthropic for AI processing; and DeepInfra for text recognition on scanned documents. Each AI provider processes data only to serve our requests, under enterprise API terms that prohibit training on customer data. Stripe handles billing data only, Google SMTP and AWS SES handle email relay. No other third parties handle customer data.
| Provider | Role | Data Handled | Region | Compliance |
|---|---|---|---|---|
| AWS | Infrastructure (compute, storage, networking) | All customer data at rest and in transit | us-east-2 (Ohio) | SOC 2, ISO 27001 |
| LLM provider (Gemini, primary for document and email processing) | Document and email text sent for processing | US | SOC 2, ISO 27001 (Google Cloud) | |
| xAI | LLM provider (Grok, contract extraction and fallback) | Document text sent for processing | US | Enterprise API terms, no training |
| OpenAI | LLM provider (embeddings and fallback) | Document text sent for processing | US | SOC 2 Type II |
| Anthropic | LLM provider (Claude, select analysis tasks) | Document text sent for processing | US | SOC 2 Type II |
| DeepInfra | Text recognition for scanned documents | Document page images sent for text recognition | US | Annual vendor review |
| Stripe | Payments processor | Billing data only; no procurement documents | US | PCI DSS Level 1, SOC 1/2 |
| Google (SMTP) | Outbound email relay | Notification emails only; no procurement documents | US | SOC 2, ISO 27001 |
| AWS SES | Inbound email receipt | Forwarded procurement emails (text + attachments) | us-east-2 (Ohio) | Inherits AWS SOC 2, ISO 27001 |
SECURITY PRACTICES
How we protect your data, day to day.
Security is not a feature we shipped once. It is a set of practices enforced on every commit, every deploy, every hire, and every vendor relationship.
- Continuous testing: 80+ deploy gates fire on every deploy
- Every production change passes 80+ automated gate scripts before it can ship. Schema validation, envelope drift, RLS policy checks, dependency audits, and deployment safety scans run on every single deploy.
- Penetration testing
- Annual third-party penetration testing is on our 2026 roadmap. Current security testing is continuous via the deploy-gate suite, plus internal red-team exercises before each enterprise contract.
- Vulnerability scanning
- A dependency audit gate runs on every deploy and surfaces high and critical advisories in production dependencies for triage. Application images are rebuilt from source on every deploy. Critical advisories are patched within 24 hours, high within 7 days, per our documented SLA.
- Multi-factor authentication
- Required for all employee access to production systems and customer data. AWS root-account MFA and least-privilege IAM scope-down are being finalized as part of our SOC 2 control rollout.
- Single sign-on
- Available on Platform contracts via SAML 2.0 or OIDC. Contact security@kynthar.com to scope.
- Incident response
- Documented runbook with a 72-hour customer-notification SLA for any incident affecting customer data. Prometheus, Alertmanager, and automated paging ensure incidents are detected within minutes.
- Employee training
- Security and data-handling training on hire and annually. All employees with production access complete training before receiving credentials.
- Background checks
- Standard background checks for all employees with production access.
- Vendor risk management
- Sub-processors reviewed for SOC 2 or equivalent posture before onboarding. Current sub-processor list visible in the table above.
COMPLIANCE POSTURE
Honestly labeled. Live controls first, audits second.
SOC 2 Type I controls are implemented and enforced; the audit is on the 2026 roadmap. Not yet SOC 2 audited. ISO 27001 is also on the roadmap. What is live today: the full control set below, enforced on every deploy.
- SOC 2 Type I (audit on the 2026 roadmap)
- ISO 27001 (on roadmap)
- GDPR DPA available on request
- AWS SOC 2 / ISO 27001 at infra layer
- No training on customer data by any LLM provider
- AES-256 encryption at rest
- TLS 1.2+ in transit
- Row-level tenant isolation (RLS)
- Daily encrypted backups with 7-day point-in-time restore
- 72-hour incident notification SLA
RESPONSIBLE DISCLOSURE
Found a vulnerability? Tell us.
We welcome reports from security researchers. Send a brief description and reproduction steps to security@kynthar.com.
- Safe harbor
- We will not pursue legal action against researchers who follow responsible-disclosure practices: report privately, allow reasonable time to remediate (default 90 days), avoid privacy violations or service degradation.
- Acknowledgment
- Researchers who report a valid vulnerability are credited on this page (with consent) and acknowledged in our security advisories.
- Machine-readable policy
- Our security.txt file is published at /.well-known/security.txt per RFC 9116.
SECURITY ADVISORIES
Transparency when it matters most.
We post timestamped statements on this page when significant security events occur in our supply chain: LLM provider incidents, infrastructure provider incidents, dependency CVEs affecting Kynthar. Past statements remain visible to preserve the audit trail.
No security advisories have been issued to date.
THIRD-PARTY SECURITY GRADES
Independent, verifiable scores.
These grades are issued by third-party scanning services. Click the links to verify against the live reports.
| Scanner | Provider | Grade | What It Tests | Verify |
|---|---|---|---|---|
| SSL Labs | Qualys SSL Labs | A | TLS configuration, certificate chain, protocol support | ssllabs.com/ssltest/analyze.html?d=kynthar.com |
| Security Headers | securityheaders.com | A | HSTS (preload), Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Permissions-Policy are all enforced at the edge. | securityheaders.com/?q=kynthar.com |
Security questionnaires, SIG-Lite responses, and responsible disclosure reports welcome. We respond within one business day.