Last Updated: February 12, 2026
Kit’s primary security focus is to protect our users’ data and as such, we’ve invested in the below controls and protocol to protect our users.
Kit outsources hosting of its infrastructure to Amazon Web Services (AWS). AWS provides a high level of physical and network security and maintains an audited security program including SOC 2 and ISO 27001 compliance. Kit does not host or run its own routers, load balancers, DNS servers, or physical servers.
AWS’s infrastructure security protections have been independently validated as part of its SOC 2 Type II and ISO 27001 certifications which are available at the AWS Compliance site.
Kit also uses Cloudflare as our CDN and DNS provider. Cloudflare is ISO 27001:2013, ISO 27701:2019, ISO 27018:2019, and SOC 2 Type II certified. These certifications can be seen at the Cloudflare Compliance site.
Kit operates a continuous security testing program through BugCrowd, including a bug bounty program and Vulnerability Disclosure Program (VDP), enabling independent security researchers to report vulnerabilities. Kit also employs automated code scanning tools to perform static analysis of the codebase, identifying potential security issues during development.
Kit constantly monitors its infrastructure for vulnerabilities and uses code scanning tools to identify security issues in the codebase.
Kit controls individual access to data within the company and grants a subset of individuals access to data based on their position in Kit or on an as-needed basis. Kit trains all employees on its security policies, processes for handling data, and laptop security on a regular basis. All Kit employees sign a confidentiality agreement regarding the personal data of all Kit users including specific provisions related to those individuals in the EU/EEA, UK, Switzerland, California, and other relevant countries and U.S. states.
Kit uses Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.
All data sent to or from Kit’s infrastructure is protected with in-transit encryption using Transport Layer Security (TLS). Passwords are unidirectionally encrypted at the database level.
Kit maintains an infrastructure continuity and disaster recovery plan in the event of an availability or performance issue. All major components of Kit are redundant and failure-tolerant, and each of our data stores has an online hot backup in a separate data center with multiple days of snapshots.
Kit maintains compliance with the EU’s General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable international and U.S. state privacy laws. Kit may use the following to lawfully transfer personal data to the United States and elsewhere:
The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK extension to the EU-U.S DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF); or
The Standard Contractual Clauses (SCCs) approved by the European Commission or the International Data Transfer Agreement (IDTA) approved by the UK Government.
Kit also offers features that enable its customers to comply with the requirements of the GDPR and other privacy laws. More information about Kit’s privacy practices are available in our Privacy Policy and Data Processing Agreement.
Kit operates a bug bounty program and Vulnerability Disclosure Program (VDP) through BugCrowd, rewarding independent security researchers who identify vulnerabilities in Kit.com. This provides continuous security testing and validation. Please report all vulnerabilities here.
