Trust & Security

Trust Center

Last updated: April 2026 · Kontrable is an early-stage product in open beta.

How Kontrable works

Kontrable is contractor management software. We help businesses organize contractor onboarding, manage contracts, track invoices, and record payments. We are not a payment processor, employer of record, or financial institution. We never hold or route money.

Data flow

  • Contractor invited: A business sends an invite. The contractor receives an email and creates a portal account under the business's branding.
  • Identity verified: The contractor completes KYC (individuals) or KYB (businesses) through our verification partner, Veriff.
  • Contract signed: The business creates a contract using templates or from scratch. Both parties sign electronically. Each receives a signed copy immediately.
  • Work and invoicing: Contractors submit payment requests through their portal. The business reviews and approves before paying from their own accounts.
  • Payment tracked: After the business sends payment via bank, Wise, PayPal, or Payoneer, Kontrable records the transaction and notifies both sides. No money passes through Kontrable.

Data & subprocessors

We keep our subprocessor list minimal. Each service listed below processes some form of customer or contractor data as part of operating the platform.

ServiceRoleData involved
SupabaseDatabase & authUser accounts, contractor profiles, contracts, payment records
VeriffIdentity & business verification (KYC/KYB)ID documents, selfies, business registration — processed by Veriff, not stored by Kontrable
SignatureAPIElectronic signaturesContract documents, signature events
ResendTransactional emailEmail address, notification content
StripeBilling & subscriptionsPayment info handled entirely by Stripe — not stored by Kontrable
VercelHosting & CDNNo persistent customer data — request routing only
CloudflareDNS, WAF, DDoS protectionNo customer data stored — network security layer only

Data retention

  • Contractor profiles, contracts, payment records, and identity verification status are retained for the lifetime of your workspace.
  • Deleting your workspace removes all associated contractor data, contract records, and payment logs. You can export everything first as CSV or PDF.
  • Identity documents submitted through Veriff are processed and stored by Veriff according to their own retention policies. Kontrable stores only the verification outcome (verified / not verified).

Identity & business verification

Every contractor on Kontrable verifies their identity before they can access a contract or submit a payment request. This protects both businesses and contractors.

Individual contractors — KYC

Individual contractors complete identity verification powered by Veriff. The process includes a government-issued ID scan and a live selfie match. Verification typically completes in under two minutes. Kontrable receives a pass/fail result; the raw identity documents are processed and retained by Veriff under their own data policies.

Business entities — KYB

Business contractors (service companies, studios, registered entities) complete business verification including company registration documents and beneficial ownership confirmation. This ensures you know who you're paying and that the entity is legitimate.

AI agent operators

For agent-based contractors — humans or businesses operating AI agents on contract — the operator completes standard KYC or KYB verification. The contract and all legal obligations are with the operator, not the agent. Kontrable treats agent operators with the same verification requirements as any other contractor type.

Kontrable does not make legal determinations about employment status. We provide compliance infrastructure. You remain responsible for ensuring your contractor relationships are structured appropriately under applicable law.

Contracts & electronic signatures

Contracts on Kontrable are created using templates (NDA, SOW, general contractor agreement) or written from scratch. AI-assisted contract generation is available using your business context and the contractor's location and type.

Electronic signatures are handled through SignatureAPI. Both parties receive a legally binding signed copy immediately upon completion. Contracts are stored in Kontrable and can be exported at any time.

Kontrable does not provide legal advice and does not guarantee that any specific contract template meets legal requirements in your jurisdiction. Have contracts reviewed by a qualified legal professional for your specific situation.

Payment tracking

Kontrable never holds, routes, or touches your money. Payments go directly from your bank account, Wise, PayPal, Payoneer, or any other method you use, straight to your contractors. Kontrable runs alongside to record the transaction, confirm amounts, and notify both sides in real time.

How payment tracking works

  • You approve a payment request in Kontrable.
  • You send the payment using your own accounts and your preferred method.
  • You mark the payment as sent in Kontrable, or Kontrable detects it automatically via available integrations (Wise API, Plaid for bank transfers).
  • Both you and the contractor receive a confirmation notification.
  • The payment record is stored permanently in Kontrable for audit and accounting purposes.

Pay stub generation

Kontrable automatically generates an immutable pay stub PDF at the moment of payment confirmation. The year-to-date total is captured at that moment and never retroactively updated. This gives both parties a clean, timestamped record of every payment.

Encryption

  • In transit: All connections use TLS 1.2+. All API calls and portal sessions are served over HTTPS.
  • At rest: All data stored in Supabase is encrypted at rest using AES-256, managed by Supabase's infrastructure layer (AWS).
  • Passwords: User passwords are hashed and never stored in plain text. Authentication is handled by Supabase Auth.

Access controls

  • Workspace data is strictly scoped by workspace ID. No workspace can access another workspace's data through the API.
  • Team seats have role-based access. Workspace owners can assign permissions to team members.
  • Contractors access only their own portal. They see their contracts, invoices, and payment status — not your internal workspace data or other contractors' records.
  • Cloudflare WAF provides country-level blocking and rate limiting on all public-facing endpoints as a network-level security layer.

GDPR

Kontrable is built with GDPR principles in mind. We collect only the data necessary to operate the platform. No tracking pixels, no third-party advertising integrations, no sale of personal data.

Our analytics tools (Fathom, Google Analytics) are configured without advertising features. No personally identifiable information is shared with advertising networks.

  • You can export all workspace data at any time from your account settings.
  • You can request deletion of your workspace and all associated data.
  • Contractor data belongs to your workspace. Contractors can request their own data through your portal or by contacting us directly.

For Data Processing Agreement (DPA) requests, contact us at privacy@kontrable.com.

Certifications & current status

Kontrable is in open beta. We are an early-stage product and honest about what we have and haven't yet formalized.

ItemStatus
SOC 2 Type IIPlanned
ISO 27001Planned
Third-party penetration testPlanned
GDPR compliance practicesActive
Encrypted data at rest (AES-256)Active
TLS in transitActive
Identity verification via VeriffActive
Cloudflare WAF & DDoS protectionActive

Our infrastructure providers (Supabase on AWS, Vercel) maintain their own SOC 2 Type II compliance. We will publish our own formal certifications as the product matures.

Vulnerability disclosure

If you discover a security vulnerability in Kontrable, please report it responsibly to security@tarkle.com.

  • We aim to acknowledge reports within 48 hours.
  • For critical vulnerabilities, we aim to provide a fix timeline within 5 business days.
  • Please do not publicly disclose vulnerabilities before we've had a chance to address them.

For general security questions not covered here, contact us at kontrable.com/contact.