We hold ourselves to the global standard of AI and data governance.
Security, compliance and responsible AI practices for Kynexa.
Security designed in.
Your data stays at source.
Kynexa reads and indexes; it does not relocate or retain copies of your source data.
Single-tenant enterprise deployment.
Your environment is isolated, with no shared data plane.
Encryption everywhere.
Data is encrypted in transit and at rest.
Credentials secured.
Connector and provider credentials are handled through a secrets vault, never hardcoded or logged.
Least-privilege access.
Role-, attribute- and purpose-based access control, down to data asset and element level.
Immutable audit.
Every policy evaluation and access event is logged to an append-only trail.
What we store.
Source documents stay in their systems of record. Kynexa stores only governance metadata in your single-tenant environment: element-level sensitivity and labels, vector embeddings, content hashes, policy definitions and the audit log.
Continuously monitored, honestly labeled.
Kynexa is built and operated in compliance with the controls of SOC 2, ISO/IEC 27001:2022, HIPAA, GDPR, NIS2, PCI DSS, DORA, HITRUST and NIST 800-53: independently and continuously monitored using best-in-class independent third-party security tools.
| Framework | Status | Evidence source |
|---|---|---|
| SOC 2 | Compliant | Continuous monitoring |
| ISO/IEC 27001 | Monitored | Continuous monitoring |
| ISO/IEC 27001:2022 | Compliant | Continuous monitoring |
| HIPAA | Compliant | Continuous monitoring |
| GDPR | Compliant | Continuous monitoring |
| NIS2 | Compliant | Continuous monitoring |
| PCI DSS | Compliant | Continuous monitoring |
| DORA | Compliant | Continuous monitoring |
| HITRUST (Level 3) | Compliant | Continuous monitoring |
| NIST 800-53 | Compliant | Continuous monitoring |
| OWASP Top 10 | Monitored | Continuous monitoring |
| CIS Controls | Monitored | Continuous monitoring |
| UK Cyber Essentials | Monitored | Continuous monitoring |
| ENS | Monitored | Continuous monitoring |
| ISO/IEC 42001 | Compliant | Continuous monitoring |
What this means. These frameworks define the security and privacy controls Kynexa is built and operated against, evidenced by continuous monitoring rather than a point-in-time snapshot. We publish our summary posture here and share the full security compliance report under NDA via the security package.
On certification. We continuously monitor our control posture with independent security platforms. We pursue accredited certification (SOC 2 Type II, ISO/IEC 27001, and ISO/IEC 42001 for AI management) as we scale.
DPA, SLA, testing and residency.
Data Processing Agreement (DPA)
A DPA is available for enterprise customers, covering processing terms, sub-processors and international-transfer safeguards. Request it with the security package.
Availability & SLA
Production deployments are offered with a contractual uptime SLA, defined in the master agreement. Single-tenant deployment isolates your availability from other customers.
Penetration testing
Independent penetration tests are conducted on at least an annual cadence and after material changes; a summary is shared under NDA.
Data residency
Single-tenant deployment keeps data at source and supports regional residency requirements.
How we govern our own AI.
We govern our own use of AI the way we ask customers to govern theirs: human oversight on consequential decisions, lineage and auditability, evaluation of AI behavior and data minimization by default.
We maintain a current list of sub-processors and the services they provide and give advance notice of material changes. The itemized current list is below; the full register is available with the security package.
| Sub-processor | Purpose | Location |
|---|---|---|
| Aikido Security | Independent, continuous security & compliance monitoring | EU |
| Cloud infrastructure (deployment region) | Hosting and compute for the single-tenant deployment | Customer-selected region |
| Model & embedding providers (configurable) | LLM inference and embeddings, per your selection (Anthropic, Amazon Bedrock, Google Vertex AI, Cohere, OpenAI-compatible) | Provider region |
| Transactional email | Delivery of demo and contact form notifications | EU / US |
Request our security package.
Security and compliance teams can request our SOC 2 progress documentation, security architecture overview and a completed security questionnaire.
Compliance summary
On requestContinuous control-monitoring coverage across the frameworks below.
Security architecture overview
On requestHow Kynexa deploys single-tenant and keeps data at source.
Security questionnaire
On requestA completed questionnaire for your vendor review.
DPA & sub-processor list
On requestData-processing terms and current sub-processors, on request.
Put your security team in the driver's seat.
Request our security package: security compliance summary, security questionnaire and an architecture overview.