YourKendra handles your customer calls, data, and workflows. Security isn't a sales slide — it's the foundation. Here's exactly how we protect your data today, and where we're going next.
All data encrypted in transit with TLS 1.3, at rest with AES-256. No plaintext credentials stored — every secret lives in managed secret stores.
Per-tenant row-level security in Postgres. Every query carries a customer_id filter; the database itself rejects cross-tenant reads.
Magic-link sign-in via Supabase Auth (no passwords to steal). All admin endpoints require a bearer token. Ops-only endpoints additionally gated by allow-list.
Your business data is never used to train AI models — not by us, not by Anthropic (we use Anthropic's no-training API tier), not by any subprocessor. Your calls, emails, and data stay yours.
Every AI action — every call, email, booking, invoice — is logged with timestamp, outcome, and metadata. Full history browsable in your dashboard and exportable as CSV.
All billing handled by Stripe (PCI DSS Level 1). We never see or store card numbers. Failed-payment retries run in Stripe's infrastructure, not ours.
YourKendra relies on a small number of best-in-class vendors. Every one is SOC 2 Type II certified or equivalent.
| Vendor | Purpose | Compliance |
|---|---|---|
| Supabase | Database, auth, storage | SOC 2 Type II · HIPAA-ready (BAA available) |
| Netlify | Web hosting, serverless functions | SOC 2 Type II |
| Anthropic | LLM for every AI employee | SOC 2 Type II · ISO 27001 · HIPAA (BAA) |
| Retell AI | Real-time voice infrastructure | SOC 2 Type II · HIPAA-ready |
| ElevenLabs | Voice synthesis + cloning | SOC 2 Type II · ISO 27001 |
| Stripe | Billing, invoicing, payment links | SOC 1 + SOC 2 · PCI DSS Level 1 |
| Resend | Transactional email | SOC 2 Type II |
| Tavily | Web search (Aria trend scan, Marcus ICP) | SOC 2 Type II |
| Firecrawl | Web scraping for prospect/content enrichment | SOC 2 Type II |
| PostHog | Product analytics (internal only) | SOC 2 Type II |
We're building the compliance stack now, not after the first breach. Here's where we are and where we're going:
AES-256 encryption, per-tenant isolation, audit logging, no-training model usage, access controls, backup/recovery (Supabase daily backups + point-in-time recovery).
Vanta for continuous evidence collection. Policies documented. External auditor engaged. Type I report (snapshot) expected by end of Q2 2026 — will be available under NDA to enterprise buyers upon request.
BAAs signed with every subprocessor handling PHI. HIPAA-specific policies (breach notification, minimum necessary, audit controls). Unlocks medical, dental, chiropractic, physical therapy, and veterinary verticals — any practice handling Protected Health Information.
Full observation-period audit covering H2 2026. Type II report is the enterprise standard for due diligence — will be the default artifact shared with Fortune 500 procurement.
For international expansion. Data residency options for EU customers. ISO 27001 certification for European enterprise buyers.
Found something? We want to hear from you. Email hello@yourkendra.com with reproduction steps. We respond within 24 hours on business days. Responsible disclosure is appreciated and rewarded.
For procurement, vendor security questionnaires (VSAs), or BAA requests, email hello@yourkendra.com — we'll share the latest attestations and answer questionnaires within 5 business days.