Security & Compliance·Updated Feb 6, 2026
Security Overview
Learn how KendoAI protects your data with enterprise-grade security practices.
Our Commitment to Security
At KendoAI, security isn't an afterthought—it's foundational to how we build and operate our platform. We understand that sales conversations contain sensitive information about your customers, strategies, and business operations.
This document provides a comprehensive overview of our security practices for enterprise evaluation. While we're actively working toward SOC 2 Type II certification, we've implemented security controls that meet or exceed industry standards.
Infrastructure Security
Cloud Infrastructure - KendoAI's application is hosted on Vercel, and customer data is stored in Google Cloud (Firebase). Both are SOC 2 Type II certified providers with comprehensive security certifications.
Network Security - All traffic is served over HTTPS through Vercel's global edge network, which includes a managed Web Application Firewall (WAF) to protect against common attack vectors.
DDoS Protection - Vercel's edge network and firewall provide automatic DDoS mitigation for our infrastructure.
Geographic Redundancy - The application is served from Vercel's global edge, and data is replicated across multiple Google Cloud regions for high availability and disaster recovery.
Data Encryption
Encryption in Transit - All data transmitted to and from KendoAI uses TLS 1.3 encryption. We enforce HTTPS across all endpoints with HSTS enabled.
Encryption at Rest - All stored data, including call recordings, transcriptions, and user data, is encrypted at rest with AES-256 using our cloud providers' managed key management.
Database Encryption - Our data stores use encrypted storage with automatic key rotation.
Backup Encryption - All backups are encrypted with managed encryption keys.
Access Controls
Authentication - Authentication is handled by Firebase Authentication, supporting email/password, Google OAuth 2.0, and passwordless email-code sign-in (a 6-digit code sent to your email). Credentials are never stored by KendoAI directly. Multi-factor authentication (MFA) is available to all users — including authenticator apps (TOTP), email codes, passkeys, and backup codes — and can be enforced organization-wide.
Authorization - Role-based access control (RBAC) ensures users only access data they're permitted to see. Team admins can configure granular permissions.
Session Management - Sessions use secure, httpOnly cookies with appropriate expiration. Sessions can be revoked by users or administrators.
API Security - API access requires secure authentication tokens with configurable expiration and scope limitations.
Application Security
Secure Development - We follow OWASP guidelines and conduct regular security code reviews. All changes go through pull request review before deployment.
Dependency Management - We use automated tools to scan for vulnerabilities in third-party dependencies and apply patches promptly.
Input Validation - All user inputs are validated and sanitized to prevent injection attacks (SQL, XSS, CSRF).
Rate Limiting - API endpoints implement rate limiting to prevent abuse and brute-force attacks.
Data Handling & Privacy
Data Minimization - We only collect and retain data necessary for providing our services.
Data Isolation - Customer data is logically isolated. Each organization's data is segregated and inaccessible to other customers.
Data Retention - Customers control their data retention policies. Data can be exported or deleted upon request.
GDPR Compliance - We comply with GDPR requirements including data subject rights, lawful basis for processing, and data processing agreements.
CCPA Compliance - California residents have full rights under CCPA to access, delete, and opt-out of data sale (we do not sell data).
AI & Third-Party Security
AI Provider Security - We use OpenAI and Anthropic for AI processing. Both providers are SOC 2 Type II certified and do not use customer data for training.
Data Processing Agreements - We maintain DPAs with all subprocessors that handle customer data.
No Training on Your Data - Your call recordings and transcriptions are never used to train AI models. Your data remains your data.
Vendor Assessment - All third-party vendors undergo security assessment before integration.
Monitoring & Incident Response
24/7 Monitoring - Our infrastructure is continuously monitored for security events, performance issues, and anomalies.
Logging - Comprehensive audit logs track all system access and changes. Logs are retained for 12 months.
Alerting - Automated alerts notify our security team of potential threats or suspicious activity.
Incident Response - We maintain a documented incident response plan with defined escalation procedures. Customers are notified of security incidents per our SLA.
Business Continuity
Backup Strategy - Automated daily backups with point-in-time recovery capability. Backups are stored in geographically separate regions.
Disaster Recovery - RTO of 4 hours and RPO of 1 hour for enterprise customers. Regular DR testing ensures readiness.
Uptime SLA - We maintain 99.9% uptime SLA with transparent status page at status.kendo.ai.
Employee Security
Background Checks - All employees with access to production systems undergo background verification.
Security Training - Mandatory security awareness training for all employees, with annual refreshers.
Least Privilege - Production access is restricted to essential personnel only, with just-in-time access for engineers.
Device Security - Employee devices require encryption, screen locks, and endpoint protection.
Compliance Roadmap
We're actively advancing our compliance certifications:
SOC 2 Type II - Currently in progress, expected completion Q3 2026
HIPAA - On our roadmap for healthcare customers
ISO 27001 - Planned for 2027
For enterprise customers, we can provide detailed security questionnaire responses and architecture documentation under NDA.