Security
KBify is a managed-service AI agent hosted at kbify.pipemint.co. This page describes where your data goes and how it's protected.
Sub-processors
KBify routes your video and text content through the following providers to deliver the final article.
| Provider | Purpose | Location |
|---|---|---|
| Anthropic | Claude LLM (draft, structure, HTML) | USA |
| OpenAI | LLM fallback when Claude is unavailable | USA |
| AssemblyAI | Loom / Google Drive audio transcription | USA |
| Supabase | Client configs, article history, audit log | EU (eu-central-1) |
| Vercel | Web hosting, API runtime | Global CDN |
| Cloudflare | DNS, email routing, TLS | Global CDN |
Data flow
- 1. Client sends a video URL (Loom / YouTube / Google Drive) or a pasted transcript.
- 2. Resolver fetches the media URL. No credentials are stored. Loom and Google Drive require publicly-shared links.
- 3. Transcription. AssemblyAI transcribes the audio (Loom / Google Drive) or KBify reads YouTube captions directly. The video file itself is not retained.
- 4. Article generation. The transcript passes through 3 Claude agents (draft, structure, HTML). OpenAI is used only as a fallback when Claude is temporarily unavailable.
- 5. Human review. The KBify handler reviews every article before delivery — no auto-publishing.
- 6. Storage. The transcript and generated article are stored in KBify's dedicated Supabase project (EU region). Default retention: 90 days. Deletable on request.
- 7. Delivery. Article is emailed or uploaded to the client's KB platform by the handler.
Encryption
- In transit: TLS 1.2+ on all endpoints (Vercel, Supabase, Cloudflare, Anthropic, OpenAI, AssemblyAI).
- At rest: Supabase Postgres uses AES-256 encryption at rest by default.
- API keys are stored server-side only in Vercel environment variables, never committed to source control, never exposed to the browser.
Data retention
- Transcripts: 90 days by default. Deletable on request.
- Generated articles: retained until the client asks for deletion, so the handler can re-reference past work.
- Audit log: retained for the lifetime of the engagement + 90 days.
- Source video files (Loom/GDrive/YouTube): never stored by KBify — only the transcript is kept.
DPA & contact
A Data Processing Agreement is available on request. For security questions, incidents, or data deletion requests, contact tiran@pipemint.co.
Scope statement
KBify is designed for SMB and mid-market use. It is not currently SOC 2, ISO 27001, or HIPAA-certified. If you need any of these for an enterprise engagement, please email us and we can discuss a paid pilot with the upgrade path.