Trust & Safety
Security
Security is a core design requirement at Kybra — not an afterthought. This page describes our security practices, responsible disclosure policy, and compliance posture.
Infrastructure
- All data in transit encrypted via TLS 1.2 or higher
- Data at rest encrypted using AES-256
- GPU compute nodes isolated per tenant — no cross-tenant data access
- Private inference endpoints protected by mTLS
- Network segmentation between control plane and data plane
Access Control
- Role-based access control (RBAC) scoped to org, project, and user
- API keys are one-time display, scoped, rotatable, and revocable
- All access decisions are logged and auditable
- Internal systems require MFA for privileged access
- Principle of least privilege enforced across all service accounts
Application Security
- Dependency vulnerability scanning in CI pipeline
- Security headers enforced on all HTTP responses
- Input validation and output encoding on all user-facing surfaces
- Rate limiting and abuse detection on API endpoints
- Secrets management via dedicated vault — no credentials in source code
Compliance & Audit
- SOC 2 Type II alignment in progress
- 100% audit log coverage for access decisions
- Immutable audit trail retained for 12 months
- Annual penetration testing by independent security firm
- Incident response plan with defined SLAs
Responsible Disclosure
If you believe you have discovered a security vulnerability in the Kybra platform, please report it to us privately before public disclosure. We are committed to acknowledging valid reports within 48 hours and resolving confirmed vulnerabilities within a reasonable timeframe based on severity.
Please include a description of the vulnerability, steps to reproduce, and potential impact. We ask that you avoid accessing user data, disrupting services, or publicly disclosing the issue until we have had the opportunity to address it.
Report a vulnerability →Security inquiries: [email protected]