Last Updated: July 27, 2020
ConvertKit’s primary security focus is to protect our users’ data and as such, we’ve invested in the below controls and protocol to protect our users.
Infrastructure
ConvertKit outsources hosting of its infrastructure to Amazon Web Services (AWS). AWS provides a high level of physical and network security and maintains an audited security program including SOC 2 and ISO 27001 compliance. ConvertKit does not host or run its own routers, load balancers, DNS servers, or physical servers.
AWS’s infrastructure security protections have been independently validated as part of its SOC 2 Type II and ISO 27001 certifications which are available at the AWS Compliance site.
Vulnerability Scanning and Penetration Testing
ConvertKit engages a leading security firm to perform extensive vulnerability scanning and penetration testing on an annual basis. ConvertKit also crowdsources vulnerability assessments through its ongoing bug bounty program (see below for more information).
Internal Security
ConvertKit constantly monitors its infrastructure for vulnerabilities and performs penetration testing.
ConvertKit controls individual access to data within the company and grants a subset of individuals access to data based on their position in ConvertKit or on an as-needed basis. ConvertKit trains all employees on its security policies, processes for handling data, and laptop security on a regular basis. All ConvertKit employees sign a confidentiality agreement regarding the personal data of all ConvertKit users including specific provisions related to those individuals in the EU/EEA, UK, and Switzerland.
DDoS Protection
ConvertKit uses Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.
In-Transit and At-Rest Encryption
All data sent to or from ConvertKit’s infrastructure is protected with in-transit encryption using Transport Layer Security (TLS).
Stored data is encrypted at rest using industry-standard encryption protocols. Passwords are unidirectionally encrypted at the database level.
Infrastructure Continuity and Disaster Recovery
ConvertKit maintains an infrastructure continuity and disaster recovery plan in the event of an availability or performance issue. All major components of ConvertKit are redundant and failure-tolerant, and each of our data stores has an online hot backup in a separate data center with multiple days of snapshots.
Data Privacy
ConvertKit is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, maintains compliance with the General Data Processing Regulation (GDPR), and relies on Standard Contractual Clauses (SCCs) to transfer and process personal data from the EU/EEA and UK to the United States. ConvertKit also offers features that enable its customers to comply with the requirements of the GDPR. More information about ConvertKit’s privacy practices are available in our Privacy Policy and Data Processing Agreement.
Bug Bounty Program
In addition to internal vulnerability scanning and independent penetration testing, ConvertKit runs a bug bounty program and rewards independent security researchers who identify vulnerabilities in ConvertKit.com. Please report all vulnerabilities here.