Trust
Built on trust, verified by design
We help you build and evidence your compliance. The same principle applies to how we build and operate our platform.
Security by design
Security isn't bolted on—it's foundational. Our platform is built with security controls embedded from architecture to deployment.
- End-to-end encryption for data in transit and at rest
- Role-based access control with audit logging
- Regular security assessments and penetration testing
- Secure development lifecycle practices
Privacy-first
Your compliance data is yours. We process what's necessary and nothing more.
- Data minimization by default
- Clear data retention policies
- No selling or sharing of customer data
- GDPR-compliant data handling
Auditability & traceability
Every action, every change, every decision—documented and traceable. Because compliance requires evidence.
- Complete audit trails for all platform activities
- Version control for documents and configurations
- Timestamp and user attribution for all changes
- Export capabilities for external audits
Responsible AI
Lyra, our AI copilot, is built with guardrails. Human judgment remains central to every compliance decision.
Human in the loop
Every AI suggestion requires human review and approval. You stay in control of all compliance decisions.
Transparent reasoning
Understand why Lyra makes suggestions. Full visibility into AI-generated recommendations.
Data boundaries
Clear governance on what AI can access. Your sensitive data stays under your control.
Our compliance journey
We're on the same path as our customers. Kynosure.ai is pursuing certification against the frameworks we support.
Public sub-processors
The data you entrust us with is never sold. It is processed exclusively through the sub-processors listed below, under EU Standard Contractual Clauses where applicable. We notify you at least 30 days before any material change to this list.
| Sub-processor | Purpose | Data location | Transfer |
|---|---|---|---|
| Google Cloud SQL | Primary database (compliance data) | europe-west3 (EU) | Same EU region |
| Google Cloud Run | Application hosting | europe-west3 (EU) | Same EU region |
| Google Cloud Storage | File storage (PDF exports, evidence) | europe-west3 (EU) | Same EU region |
| Google Vertex AI | Remediation roadmap generation (Claude Sonnet) | europe-west3 (EU) | Same EU region |
| Google Firebase Auth | User authentication | US (Google Cloud) | EU SCCs Art. 46 + Google DPA |
| Resend | Transactional email (no marketing) | US | EU SCCs Art. 46 + Resend DPA |
| LemonSqueezy | Payments (Merchant of Record, EU VAT) | US | EU SCCs + Customer Master Agreement |
All sensitive compliance data (responses, scores, evidence, generated PDFs) stays in europe-west3. US sub-processors only touch authentication metadata, email, and payments.
Responsible vulnerability disclosure
We support security research and invite you to report vulnerabilities responsibly. We acknowledge within 5 business days and commit to a 90-day window for fix or coordinated disclosure.
In scope
- kynosure.ai domain and all sub-paths
- APIs at /api/* (assessment, auth, payments, contact, NORMA subscribe/confirm)
- Cloud Run service kynosure-web and associated Cloud Functions (scoreAssessment, generateRoadmap)
Out of scope
- Spam, volumetric DOS/DDoS, resource exhaustion
- Social engineering of staff or customers
- Physical attacks on infrastructure
- Vulnerabilities in already-disclosed upstream dependencies (please report upstream)
Safe harbor
Good-faith testing, on test accounts you create yourself, without exfiltrating other users' data, without disrupting production service: we commit to no legal action. Testing against real user data or production availability invalidates the safe harbor.
Contact
security@kynosure.ai — Encrypted email preferred. Contact us to request the PGP key. For non-vulnerability questions use the contact form.
Questions about our security?
We're happy to discuss our security practices, share documentation, or address specific concerns.
Contact us