Security Overview
Learn how KendoAI protects your data with enterprise-grade security practices.
Last updated: Feb 6, 2026
Our Commitment to Security
At KendoAI, security isn't an afterthought—it's foundational to how we build and operate our platform. We understand that sales conversations contain sensitive information about your customers, strategies, and business operations.
This document provides a comprehensive overview of our security practices for enterprise evaluation. While we're actively working toward SOC 2 Type II certification, we've implemented security controls that meet or exceed industry standards.
Infrastructure Security
Cloud Infrastructure - KendoAI is hosted on Amazon Web Services (AWS), a SOC 2 Type II certified provider with the most comprehensive security certifications in the industry.
Network Security - All traffic is protected by AWS VPC with private subnets, network ACLs, and security groups. We implement WAF (Web Application Firewall) protection against common attack vectors.
DDoS Protection - AWS Shield provides automatic DDoS mitigation for our infrastructure.
Geographic Redundancy - Data is replicated across multiple availability zones for high availability and disaster recovery.
Data Encryption
Encryption in Transit - All data transmitted to and from KendoAI uses TLS 1.3 encryption. We enforce HTTPS across all endpoints with HSTS enabled.
Encryption at Rest - All stored data, including call recordings, transcriptions, and user data, is encrypted using AES-256 encryption via AWS KMS (Key Management Service).
Database Encryption - Our databases use encrypted storage volumes with automatic key rotation.
Backup Encryption - All backups are encrypted with separate encryption keys stored in AWS KMS.
Access Controls
Authentication - We support secure authentication via email/password with bcrypt hashing, Google OAuth 2.0, and passwordless magic links. Multi-factor authentication (MFA) is available for enterprise accounts.
Authorization - Role-based access control (RBAC) ensures users only access data they're permitted to see. Team admins can configure granular permissions.
Session Management - Sessions use secure, httpOnly cookies with appropriate expiration. Sessions can be revoked by users or administrators.
API Security - API access requires secure authentication tokens with configurable expiration and scope limitations.
Application Security
Secure Development - We follow OWASP guidelines and conduct regular security code reviews. All changes go through pull request review before deployment.
Dependency Management - We use automated tools to scan for vulnerabilities in third-party dependencies and apply patches promptly.
Input Validation - All user inputs are validated and sanitized to prevent injection attacks (SQL, XSS, CSRF).
Rate Limiting - API endpoints implement rate limiting to prevent abuse and brute-force attacks.
Data Handling & Privacy
Data Minimization - We only collect and retain data necessary for providing our services.
Data Isolation - Customer data is logically isolated. Each organization's data is segregated and inaccessible to other customers.
Data Retention - Customers control their data retention policies. Data can be exported or deleted upon request.
GDPR Compliance - We comply with GDPR requirements including data subject rights, lawful basis for processing, and data processing agreements.
CCPA Compliance - California residents have full rights under CCPA to access, delete, and opt-out of data sale (we do not sell data).
AI & Third-Party Security
AI Provider Security - We use OpenAI and Anthropic for AI processing. Both providers are SOC 2 Type II certified and do not use customer data for training.
Data Processing Agreements - We maintain DPAs with all subprocessors that handle customer data.
No Training on Your Data - Your call recordings and transcriptions are never used to train AI models. Your data remains your data.
Vendor Assessment - All third-party vendors undergo security assessment before integration.
Monitoring & Incident Response
24/7 Monitoring - Our infrastructure is continuously monitored for security events, performance issues, and anomalies.
Logging - Comprehensive audit logs track all system access and changes. Logs are retained for 12 months.
Alerting - Automated alerts notify our security team of potential threats or suspicious activity.
Incident Response - We maintain a documented incident response plan with defined escalation procedures. Customers are notified of security incidents per our SLA.
Business Continuity
Backup Strategy - Automated daily backups with point-in-time recovery capability. Backups are stored in geographically separate regions.
Disaster Recovery - RTO of 4 hours and RPO of 1 hour for enterprise customers. Regular DR testing ensures readiness.
Uptime SLA - We maintain 99.9% uptime SLA with transparent status page at status.kendo.ai.
Employee Security
Background Checks - All employees with access to production systems undergo background verification.
Security Training - Mandatory security awareness training for all employees, with annual refreshers.
Least Privilege - Production access is restricted to essential personnel only, with just-in-time access for engineers.
Device Security - Employee devices require encryption, screen locks, and endpoint protection.
Compliance Roadmap
We're actively advancing our compliance certifications:
SOC 2 Type II - Currently in progress, expected completion Q3 2026
HIPAA - On our roadmap for healthcare customers
ISO 27001 - Planned for 2027
For enterprise customers, we can provide detailed security questionnaire responses and architecture documentation under NDA.