Built like enterprise software.

01Security

Your data is locked down at the row.

Every table that holds your business data has Row-Level Security on it. That isn't an aspiration — it's a Postgres-level guarantee enforced for every read and every write. Two Kinako users physically cannot see each other's data.

Row-Level Security

Enabled on every user-data table (40+).

API authentication

Supabase Auth · Bearer token verified server-side on every privileged route.

Service-role boundary

Service-role key never reaches the browser. All admin operations happen inside server routes.

Public share tokens

Cryptographically generated · scoped to a single resource · audit-logged on every send.

Content-Security Policy

Set per-request in the edge middleware.

HTTPS-only

TLS 1.2+ enforced on the edge. HSTS shipped with a one-year max-age.

02Reliability

Built to not break when it matters.

Most one-person SaaS hits its first scaling wall at the parts you can't see — webhook handlers, race conditions, the assumption that an event will only fire once. We built those parts the way you'd build them if a company were paying for it.

Stripe webhook idempotency

Every event claims its event-id in a Postgres primary key before processing. Duplicates short-circuit.

Invoice numbering

Atomic unique numbers per user · Postgres unique constraint, no race-condition gaps.

SQL migrations

Numbered sequentially · every one idempotent · zero destructive operations in production.

Rate limiting

Upstash Redis-backed · per-IP throttles on every public endpoint · per-user cooldowns on AI routes.

Audit logs

Every share-token send writes an immutable audit row · IP capture on contract signatures.

Daily AI spend cap

Hard ceiling per user per cycle · prevents runaway costs from a misuse case.

03Privacy

Your data leaves the building when you do.

Kinako is built on the assumption that the user owns the data. Every account can export every row at any time. No analytics broker re-sells your usage. The third parties we do touch are listed below — there is nothing else.

Data export

One-click full export of every entity (clients, projects, invoices, contracts, time, expenses).

Account deletion

Full account + data deletion on request · executed within seven days.

AI provider

Anthropic Claude (drafting) and OpenAI Whisper (audio transcription only). Both contractually do not train on customer data.

Payments

Stripe (subscriptions and Connect direct charges). PCI handled by Stripe; card data never touches Kinako servers.

Email

Resend (transactional only).

SMS

Twilio (one-way notification only).

Analytics

Vercel Speed Insights and Vercel Analytics. No third-party trackers.

04AI safety

AI drafts. You decide. Nothing else.

Every AI surface in Kinako produces text. None of them sends, signs, charges, or otherwise acts. The only thing that crosses the line between draft and action is a human hand on a button.

Drafts vs. actions

AI writes proposals, follow-ups, summaries, briefings. Never sends them.

Contract signatures

Only client-side signature events, with IP and timestamp captured, ever commit a signed contract.

Stripe charges

Initiated only by user click. AI cannot trigger a charge.

Tone and content controls

Every AI surface includes a user-editable preview before send.

Daily cap and cooldowns

Spending and rate-limit ceilings on every AI route.

Training opt-out

Kinako does not ship customer data to model training. Provider contracts (Anthropic, OpenAI) enforce the same.

05Engineering

Hand-built. No component library. One owner.

Kinako has no UI dependencies. No Material UI. No shadcn fallback. No design-system import. Every component you see was hand-built with Tailwind. The trade-off is one founder maintaining everything; the upside is a product that looks and behaves the same the day after a Tailwind major-version bump.

Framework

Next.js 16 · App Router · Turbopack · React Compiler.

Frontend

React 19 · TypeScript · Tailwind CSS v4 · zero UI component libraries.

Backend

Supabase (Postgres + Auth + Storage) · Upstash Redis · Vercel Edge Functions.

Payments

Stripe (subscriptions, Connect direct charges, credit packs, webhooks).

AI

Anthropic Claude Sonnet (drafting) · OpenAI Whisper (transcription).

Hosting

Vercel · multi-region edge · automatic font subsetting · dynamic modal imports for first-paint speed.

06Performance

Fast on purpose.

Speed is a brand value at Kinako. Slow software is, eventually, software that gets abandoned for faster software. We treat every render and every fetch as a thing that has to earn its place.

Page rendering

RSC by default · client components only where interaction demands it.

Modal code-splitting

All dashboard modals dynamic-imported · zero overhead until shown.

Database queries

Explicit-column selects on high-traffic pages · no select(*) on hot paths.

Caching

ISR with 60-second revalidate on dashboard reads · Cache-Control headers tuned per route.

Asset delivery

Vercel edge CDN · automatic font subsetting · image optimization on every visual asset.

Bundle hygiene

Bundle analyzer integrated · unused font weights dropped · accessibility prefers-reduced-motion honored.

A note from the founder