Security Practices

Last updated: January 13, 2026

At Kynthar, security is not an afterthought - it's foundational to everything we build. This page outlines the security measures we implement to protect your data and ensure the integrity of our document intelligence platform.

Our Commitment: We employ enterprise-grade security practices to protect your sensitive business documents. Your data security is our top priority.

1. Infrastructure Security

Our infrastructure is built on industry-leading cloud platforms with multiple layers of protection:

1.1 Cloud Infrastructure

• Amazon Web Services (AWS): We host our infrastructure on AWS, leveraging their SOC 2 Type II, ISO 27001, and PCI DSS certified data centers
• Private VPC: All services run within a private Virtual Private Cloud with no direct public internet access to backend systems
• Network Segmentation: Strict network boundaries separate public-facing services from internal databases and processing systems

1.2 Container Isolation

• Docker Containerization: Each service runs in isolated Docker containers, preventing cross-contamination between workloads
• Minimal Attack Surface: Containers use minimal base images with only required dependencies
• Regular Updates: Container images are rebuilt regularly with the latest security patches

1.3 Infrastructure as Code

• Reproducible Deployments: All infrastructure is defined as code, ensuring consistent and auditable configurations
• Version Control: Infrastructure changes are tracked, reviewed, and can be rolled back if needed

2. Data Encryption

We employ strong encryption at every stage of data handling:

2.1 Encryption in Transit

• TLS 1.2+: All data transmitted between your browser and our servers is protected with TLS 1.2 or higher
• HTTPS Only: We enforce HTTPS on all endpoints with HSTS headers preventing downgrade attacks
• Certificate Management: TLS certificates are automatically rotated and managed through trusted certificate authorities

2.2 Encryption at Rest

• AES-256 Encryption: All stored data, including documents and database contents, is encrypted using AES-256 encryption
• AWS Key Management: Encryption keys are managed through AWS Key Management Service (KMS) with automatic key rotation
• Encrypted Backups: All database backups are encrypted before being stored in secure backup locations

3. Access Controls

We implement strict access controls following security best practices:

3.1 Principle of Least Privilege

• Minimal Permissions: Every service, user, and system component has only the minimum permissions required to perform its function
• Regular Access Reviews: Access permissions are reviewed regularly and revoked when no longer needed
• Just-in-Time Access: Administrative access to production systems requires explicit approval and is time-limited

3.2 Role-Based Access Control (RBAC)

• Defined Roles: User permissions are organized into clearly defined roles (Admin, User, Viewer)
• Granular Permissions: Permissions can be customized based on specific organizational needs
• Audit Trail: All permission changes are logged and auditable

3.3 Row-Level Security (RLS)

• Database-Level Enforcement: Row-Level Security policies are enforced at the database level, ensuring users can only access data belonging to their organization
• Defense in Depth: Even if application-level controls were bypassed, database policies prevent unauthorized access

4. Authentication

We implement secure authentication mechanisms to protect user accounts:

4.1 Password Security

• bcrypt Hashing: Passwords are hashed using bcrypt with a high work factor, making brute-force attacks computationally infeasible
• No Plaintext Storage: Passwords are never stored in plaintext or reversible formats
• Password Requirements: We enforce minimum password complexity requirements

4.2 Session Security

• Secure Session Tokens: Session tokens are cryptographically random and sufficiently long to prevent guessing
• HTTP-Only Cookies: Session cookies are marked HTTP-only, preventing JavaScript access
• Secure Flag: Cookies are transmitted only over HTTPS connections
• Session Expiration: Sessions expire after periods of inactivity

4.3 Account Protection

• Rate Limiting: Login attempts are rate-limited to prevent brute-force attacks
• Account Lockout: Accounts are temporarily locked after multiple failed login attempts
• Suspicious Activity Alerts: Users are notified of login attempts from new devices or locations

5. Multi-Tenant Isolation

Our platform serves multiple customers while maintaining strict data isolation:

5.1 Tenant Separation

• Company ID Enforcement: Every data record includes a company identifier, and all queries are scoped to the authenticated user's organization
• Application-Level Checks: Business logic validates tenant context on every operation
• Database-Level Enforcement: Row-Level Security policies provide an additional layer of tenant isolation

5.2 Resource Isolation

• Isolated Processing: Document processing jobs are isolated per tenant
• Separate Storage Paths: Uploaded documents are stored in tenant-specific paths
• No Cross-Tenant Access: Under no circumstances can one customer access another customer's data

6. Monitoring and Logging

We maintain comprehensive visibility into system activity:

6.1 Structured Logging

• JSON Format: All logs are output in structured JSON format for consistent parsing and analysis
• Correlation IDs: Requests are tracked with unique identifiers across all system components
• Comprehensive Coverage: We log security-relevant events including authentication, authorization, and data access

6.2 Audit Trails

• User Actions: User activities are logged for audit purposes
• Administrative Changes: Configuration and permission changes are tracked
• Retention: Audit logs are retained for compliance and investigation purposes

6.3 Alerting

• Real-Time Monitoring: Systems are monitored 24/7 for anomalies and security events
• Automated Alerts: Critical security events trigger immediate notifications to our security team
• Incident Response: Established procedures for responding to security alerts

7. Incident Response

We maintain a comprehensive incident response program:

7.1 Response Plan

• Documented Procedures: We have documented incident response procedures for various security scenarios
• Defined Roles: Clear responsibilities for incident detection, containment, eradication, and recovery
• Regular Testing: Incident response procedures are tested and updated regularly

7.2 Communication

• Timely Notification: In the event of a security incident affecting your data, we will notify you promptly in accordance with applicable laws and regulations
• Transparency: We provide clear communication about the nature, scope, and remediation of incidents

Security Contact: Report security concerns or incidents to security@kynthar.com. We take all security reports seriously and will respond promptly.

8. Compliance

We are committed to meeting industry standards and regulatory requirements:

8.1 SOC 2-Aligned Controls

• Security Controls: We have implemented security controls aligned with SOC 2 requirements
• Trust Principles: Our controls address Security, Availability, and Confidentiality trust service principles
• Continuous Improvement: We regularly review and enhance our controls to meet industry standards

8.2 GDPR Compliance

• Data Subject Rights: We support rights to access, rectification, erasure, and portability of personal data
• Data Processing Agreements: We offer DPAs for customers who require them
• Privacy by Design: Privacy considerations are built into our development process

8.3 CCPA Compliance

• California Consumer Rights: We comply with the California Consumer Privacy Act requirements
• Do Not Sell: We do not sell personal information
• Transparency: Clear disclosure of data collection and usage practices

9. Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities:

9.1 Reporting Vulnerabilities

• Contact: Report vulnerabilities to security@kynthar.com
• Response Time: We aim to acknowledge reports within 48 hours
• Coordination: We work with researchers to understand and remediate issues before public disclosure

9.2 Safe Harbor

• Good Faith Research: We will not take legal action against security researchers acting in good faith
• Responsible Disclosure: We ask that vulnerabilities not be publicly disclosed until we have had reasonable time to address them

When Reporting: Please include as much detail as possible - steps to reproduce, potential impact, and any suggested remediation. The more information you provide, the faster we can address the issue.

10. Continuous Improvement

Security is an ongoing process, not a one-time achievement:

• Security Assessments: We conduct security assessments as part of our development process
• Dependency Scanning: Automated scanning for vulnerabilities in third-party dependencies
• Security Training: Our team receives ongoing security awareness training
• Industry Best Practices: We stay current with evolving security standards and threats

11. Contact Us

Security Questions or Concerns?

Security: security@kynthar.com
General Support: support@kynthar.com

We welcome questions about our security practices and are happy to provide additional information to prospective and current customers.