Trust Center
Security built into every layer.
Cyndra is engineered for operators in regulated industries. Encryption end to end, scoped credentials, immutable audit logs, human approval gates on every high-stakes action, and a fully local-model deployment option for the data you cannot send to the cloud.
SOC 2 Type II · In progress · Late 2026
SOC 2 Type II
Cyndra is actively working toward SOC 2 Type II certification with Sprinto. The observation window opens late 2026. Email security@cyndra.ai for a vendor questionnaire or our current controls matrix.
Read the full SOC 2 readiness brief
The same controls a Type II audit will test, mapped to AI agent deployments, with a controls matrix available under NDA.
Vendor questionnaires
Email security@cyndra.ai for a vendor questionnaire or our current controls matrix mapping to SOC 2, ISO 27001, and HIPAA Security Rule equivalents.
Data Principles
Your data stays yours. Period.
Local-first by default
For regulated industries, Cyndra Agent runs entirely on your hardware. Conversations, files, and agent memory never leave the device. The cloud platform isolates each tenant with dedicated per-tenant encryption keys.
Your data, your control
We never use your data to train shared models without explicit opt-in. You can export or delete every record at any time. Sub-processors are bound by DPAs that mirror our customer obligations.
Encrypted end to end
TLS 1.3 in transit. AES-256 at rest. Customer secrets stored in HashiCorp Vault with per-tenant encryption keys. Tokens stored server-side, never reaching the AI.
Enterprise Controls
The same controls a SOC 2 Type II audit will test.
We operate against these controls today, ahead of formal attestation. Procurement and compliance teams can request our controls matrix mapping to SOC 2, ISO 27001, and HIPAA Security Rule equivalents.
Encryption
All data encrypted in transit (TLS 1.3) and at rest (AES-256). Customer secrets stored in HashiCorp Vault with per-tenant encryption keys.
Access Control
Role-based access with principle of least privilege. SSO + SAML for enterprise. Audit log of every privileged access event. Annual access reviews.
Monitoring
24/7 security monitoring with automated alerting. Anomalous-access detection on credential vaults. Daily review of failed-authentication patterns.
Audit Logging
Immutable audit trails for all agent actions, tool calls, and admin operations. Logs retained 12 months by default, longer on enterprise plans.
Vulnerability Management
Quarterly penetration testing by an independent firm. Automated CVE scanning of all dependencies. SLAs on critical CVEs measured in hours.
Incident Response
Documented incident response plan with defined escalation procedures. Customers notified within 72 hours of any confirmed data incident.
Vendor Management
All sub-processors vetted for SOC 2 / ISO 27001 compliance. DPAs signed with every sub-processor. Sub-processor list available on request.
Business Continuity
Redundant infrastructure across availability zones. Daily encrypted backups. Quarterly DR tabletop exercises and at least one full failover drill per year.
Trust Service Criteria
Mapped to AI agent deployments.
AI agents introduce risk categories that don't show up in a traditional SOC 2 scope: tool invocation, prompt injection, autonomous action. Here's how we treat each criterion.
Security
Encryption in transit (TLS 1.3) and at rest (AES-256). SSO + SAML for enterprise. Role-based access with principle of least privilege. Automated vulnerability scanning, regular penetration testing, and bug bounty intake.
Availability
99.95% uptime SLA on enterprise contracts. Redundant infrastructure across availability zones. Documented disaster recovery plan with RTO/RPO targets per workload tier.
Confidentiality
Data classified and protected based on sensitivity. Organization-level access isolation. Customer data segregated by tenant ID. Sub-processors bound by DPAs that mirror our customer obligations.
Processing Integrity
Every AI agent action is logged with input, output, tools invoked, and the user who triggered it. High-stakes actions route to human approval before execution. Replayable audit trail for compliance review.
Privacy
PII is minimized by default. AI agents operate on scoped tool credentials, never on raw customer data dumps. Customer data is not used to train shared models without explicit opt-in.
Compliance & Data Governance
Aligned with the standards your buyers ask about.
GDPR
Lawful basis documented for every processing activity. Subject access, rectification, erasure, and portability handled within statutory windows. Read more on our GDPR page.
DPA & Sub-processors
Signed DPA available for every enterprise account. Sub-processor list (hosting, model providers, telemetry) available under NDA. All sub-processors bound by DPAs that mirror our customer obligations.
HIPAA
For HIPAA-regulated data we recommend the local-model deployment, where zero data leaves your network. We handle BAA requirements case by case for hybrid setups.
ISO 27001
Controls mapped to ISO 27001 Annex A. Formal certification on the roadmap following SOC 2 Type II. Full control mapping available under NDA.
Security Review
Need a deeper review?
We can wrap one in 30 minutes.
Vendor questionnaires, BAAs, architecture diagrams, SHA hashes for EDR allow-listing, controls matrix mapping. We can usually wrap a security review in 30 minutes.