Skip to content
Home/Trust Center
Trust Center

We hold ourselves to the global standard of AI and data governance.

Security, compliance and responsible AI practices for Kynexa.

Security architecture

Security designed in.

Your data stays at source.

Kynexa reads and indexes; it does not relocate or retain copies of your source data.

Single-tenant enterprise deployment.

Your environment is isolated, with no shared data plane.

Encryption everywhere.

Data is encrypted in transit and at rest.

Credentials secured.

Connector and provider credentials are handled through a secrets vault, never hardcoded or logged.

Least-privilege access.

Role-, attribute- and purpose-based access control, down to data asset and element level.

Immutable audit.

Every policy evaluation and access event is logged to an append-only trail.

What we store.

Source documents stay in their systems of record. Kynexa stores only governance metadata in your single-tenant environment: element-level sensitivity and labels, vector embeddings, content hashes, policy definitions and the audit log.

Security & compliance posture

Continuously monitored, honestly labeled.

Kynexa is built and operated in compliance with the controls of SOC 2, ISO/IEC 27001:2022, HIPAA, GDPR, NIS2, PCI DSS, DORA, HITRUST and NIST 800-53: independently and continuously monitored using best-in-class independent third-party security tools.

FrameworkStatusEvidence source
SOC 2CompliantContinuous monitoring
ISO/IEC 27001MonitoredContinuous monitoring
ISO/IEC 27001:2022CompliantContinuous monitoring
HIPAACompliantContinuous monitoring
GDPRCompliantContinuous monitoring
NIS2CompliantContinuous monitoring
PCI DSSCompliantContinuous monitoring
DORACompliantContinuous monitoring
HITRUST (Level 3)CompliantContinuous monitoring
NIST 800-53CompliantContinuous monitoring
OWASP Top 10MonitoredContinuous monitoring
CIS ControlsMonitoredContinuous monitoring
UK Cyber EssentialsMonitoredContinuous monitoring
ENSMonitoredContinuous monitoring
ISO/IEC 42001CompliantContinuous monitoring

What this means. These frameworks define the security and privacy controls Kynexa is built and operated against, evidenced by continuous monitoring rather than a point-in-time snapshot. We publish our summary posture here and share the full security compliance report under NDA via the security package.

On certification. We continuously monitor our control posture with independent security platforms. We pursue accredited certification (SOC 2 Type II, ISO/IEC 27001, and ISO/IEC 42001 for AI management) as we scale.

Commitments

DPA, SLA, testing and residency.

Data Processing Agreement (DPA)

A DPA is available for enterprise customers, covering processing terms, sub-processors and international-transfer safeguards. Request it with the security package.

Availability & SLA

Production deployments are offered with a contractual uptime SLA, defined in the master agreement. Single-tenant deployment isolates your availability from other customers.

Penetration testing

Independent penetration tests are conducted on at least an annual cadence and after material changes; a summary is shared under NDA.

Data residency

Single-tenant deployment keeps data at source and supports regional residency requirements.

Responsible AI

How we govern our own AI.

We govern our own use of AI the way we ask customers to govern theirs: human oversight on consequential decisions, lineage and auditability, evaluation of AI behavior and data minimization by default.

Compliance explainers
Sub-processors

We maintain a current list of sub-processors and the services they provide and give advance notice of material changes. The itemized current list is below; the full register is available with the security package.

Sub-processorPurposeLocation
Aikido SecurityIndependent, continuous security & compliance monitoringEU
Cloud infrastructure (deployment region)Hosting and compute for the single-tenant deploymentCustomer-selected region
Model & embedding providers (configurable)LLM inference and embeddings, per your selection (Anthropic, Amazon Bedrock, Google Vertex AI, Cohere, OpenAI-compatible)Provider region
Transactional emailDelivery of demo and contact form notificationsEU / US
Security package

Request our security package.

Security and compliance teams can request our SOC 2 progress documentation, security architecture overview and a completed security questionnaire.

Compliance summary

On request

Continuous control-monitoring coverage across the frameworks below.

Security architecture overview

On request

How Kynexa deploys single-tenant and keeps data at source.

Security questionnaire

On request

A completed questionnaire for your vendor review.

DPA & sub-processor list

On request

Data-processing terms and current sub-processors, on request.

Your details are used only to respond to your request. Corporate email required; protected by bot detection. See our Privacy Policy.

Get started

Put your security team in the driver's seat.

Request our security package: security compliance summary, security questionnaire and an architecture overview.