Kyndrify
Trust and security

How we protect your data.

Kyndrify handles your face and voice. We take that responsibility with the same care a hospital takes with health records. This page documents how: encryption, access controls, retention, audits, and our explicit stance on AI model training.

TLS 1.3 in transitAES-256 at restC2PA Content CredentialsInvisible forensic watermarkGDPR + CCPA + AI ActNo AI training on your data

Platform controls

  • Architecture. Kyndrify runs on enterprise-grade cloud infrastructure, with production environments fully isolated from development. Media is delivered through short-lived signed links, never public buckets.
  • Cloud infrastructure. All services run in the United States. Data residency options for the EU and UK are on our roadmap for v1.5.
  • Audits. Annual penetration testing planned post-launch. SOC 2 Type I targeted within 12 months. Public bug bounty in v1.5.
  • Subprocessors. Available on request and listed in the Data Processing Agreement. Subprocessor changes are announced 30 days in advance to all enterprise customers.

Access and authentication

  • Passwords. 12-character minimum, all character classes required, hashed with bcrypt. No plaintext storage anywhere.
  • Sessions. JWT-backed sessions with HttpOnly + Secure + SameSite cookie flags. Active session monitoring + revocation in v1.5.
  • Multi-factor authentication. MFA + Google OAuth + account lockout shipping in v1.5. Enterprise tier adds SAML/SSO and SCIM provisioning.
  • Workspace isolation. Every API route validates workspace membership before returning data. Logical tenant separation prevents cross-customer access by design.

Encryption

  • In transit. TLS 1.3 (with TLS 1.2 fallback) on every endpoint. HTTPS-only. HTTP traffic is redirected at the CDN edge.
  • At rest. AES-256 for all data: database, object storage, and secret store.
  • Secrets. Every credential, API key, and webhook secret lives in our managed secret store with versioned access control. No secrets in code or environment files.

Monitoring and incident response

  • Error tracking. Our observability stack captures errors and performance regressions with a low sampling rate that respects user privacy (no PII or PHI logged).
  • Audit logs. Workspace-level audit log captures membership changes, role changes, and credit cap adjustments. Render and voice-clone audit trails available to operators for legal traceability.
  • Uptime. Status page at status.kyndrify.com (coming pre-launch). 99.5% target SLA, measured on the customer-facing rendering pipeline.
  • Incident response. Documented runbooks for stuck renders, payment failures, and provider outages. Customer notifications within 60 minutes of confirmed incidents.

Data retention and deletion

  • Twin photos. Retained for the lifetime of the workspace + 30 days after deletion, then purged from storage + database.
  • Voice clones. Reference audio + voice models retained for the lifetime of the workspace + 30 days after deletion.
  • Rendered outputs. Retained for the lifetime of the workspace + 30 days after deletion, or until you delete them. The prompt text behind each render is automatically pruned after 90 days.
  • Account deletion. Self-serve account deletion (GDPR “right to be forgotten”) completes within 30 days. All stored files + database rows are removed.
  • Backups. Daily encrypted database snapshots with 30-day retention. Backup restore testing every 90 days.

AI model training

  • We do not train on your content. Your photos, voice clips, scripts, and rendered videos are not used to train any AI model, ours or our providers'.
  • Provider data handling. Our video and voice providers operate under commercial data-handling agreements that prohibit training on customer data. Subprocessors are listed in the Data Processing Agreement available to enterprise customers under NDA.
  • Content provenance. Every rendered video carries C2PA Content Credentials embedded in metadata + an invisible forensic watermark, so the origin and AI nature of the output is always traceable.

Compliance posture

  • GDPR-ready. Data subject rights honored: access, deletion, portability, correction. Data Processing Agreement available for European customers.
  • CCPA-compliant. California residents have right to know, delete, and opt out of data sale. We do not sell data.
  • EU AI Act compliance (Article 50). Every AI-generated video carries the required transparency disclosures + provenance metadata, enforced before the August 2026 deadline.
  • HIPAA / PHI workloads. Kyndrify is not currently HIPAA-eligible. The third-party AI services that power our voice and video features do not offer Business Associate Agreements. Do not upload PHI or use Kyndrify to process patient data.

Personnel practices

  • Background checks. All staff with production access undergo standard background screening before onboarding.
  • Security training. Annual security awareness training for every staff member. Phishing simulations every six months.
  • Access reviews. Production access reviewed quarterly. Contractor access revoked within 24 hours of offboarding.
Found something?

Vulnerability disclosure.

If you believe you've found a security issue, please email [email protected]. We commit to acknowledging within 48 hours and to working with you in good faith on coordinated disclosure. Public bug bounty program coming in v1.5.

Questions about security?

We're happy to walk through architecture, sign DPAs, or answer security questions for enterprise procurement.

Contact securityStart a workspace
Sign inBuild your twin

We use cookies for analytics to help improve Kyndrify. You can accept or decline. See our Privacy Policy.