Your next breakthrough happens in person: Craft + Commerce, June 11-14 in Boise.View speakers

Security

Last Updated: May 2, 2024

Kit’s primary security focus is to protect our users’ data and as such, we’ve invested in the below controls and protocol to protect our users.

Infrastructure

Kit outsources hosting of its infrastructure to Amazon Web Services (AWS). AWS provides a high level of physical and network security and maintains an audited security program including SOC 2 and ISO 27001 compliance. Kit does not host or run its own routers, load balancers, DNS servers, or physical servers.

AWS’s infrastructure security protections have been independently validated as part of its SOC 2 Type II and ISO 27001 certifications which are available at the
AWS Compliance site.

Kit also uses Cloudflare as our CDN and DNS provider. Cloudflare is ISO 27001:2013, ISO 27701:2019, ISO 27018:2019, and SOC 2 Type II certified. These certifications can be seen at the Cloudflare Compliance site.

Vulnerability Scanning and Penetration Testing

Kit engages a leading security firm to perform extensive vulnerability scanning and penetration testing on an annual basis. Kit also crowdsources vulnerability assessments through its ongoing bug bounty program (see below for more information).

Internal Security

Kit constantly monitors its infrastructure for vulnerabilities and performs penetration testing.

Kit controls individual access to data within the company and grants a subset of individuals access to data based on their position in Kit or on an as-needed basis. Kit trains all employees on its security policies, processes for handling data, and laptop security on a regular basis. All Kit employees sign a confidentiality agreement regarding the personal data of all Kit users including specific provisions related to those individuals in the EU/EEA, UK, Switzerland, California, and other relevant countries and U.S. states.

DDoS Protection

Kit uses Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.

Encryption

All data sent to or from Kit’s infrastructure is protected with in-transit encryption using Transport Layer Security (TLS). Passwords are unidirectionally encrypted at the database level.

Infrastructure Continuity and Disaster Recovery

Kit maintains an infrastructure continuity and disaster recovery plan in the event of an availability or performance issue. All major components of Kit are redundant and failure-tolerant, and each of our data stores has an online hot backup in a separate data center with multiple days of snapshots.

Data Privacy 

Kit maintains compliance with the EU’s General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and other international and U.S. state privacy laws. Kit may use the following to lawfully transfer personal data to the United States and elsewhere:

  • The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK extension to the EU-U.S DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF); or
  • The Standard Contractual Clauses (SCCs) approved by the European Commission or the International Data Transfer Agreement (IDTA) approved by the UK Government.

Kit also offers features that enable its customers to comply with the requirements of the GDPR and other privacy laws. More information about Kit’s privacy practices are available in our Privacy Policy and Data Processing Agreement.

Bug Bounty Program 

In addition to internal vulnerability scanning and independent penetration testing, Kit runs a bug bounty program and rewards independent security researchers who identify vulnerabilities in Kit.com. Please report all vulnerabilities here.