Last Updated: July 27, 2020

ConvertKit’s primary security focus is to protect our users’ data and as such, we’ve invested in the below controls and protocol to protect our users.


ConvertKit outsources hosting of its infrastructure to Amazon Web Services (AWS). AWS provides a high level of physical and network security and maintains an audited security program including SOC 2 and ISO 27001 compliance. ConvertKit does not host or run its own routers, load balancers, DNS servers, or physical servers.

AWS’s infrastructure security protections have been independently validated as part of its SOC 2 Type II and ISO 27001 certifications which are available at the AWS Compliance site.

Vulnerability Scanning and Penetration Testing

ConvertKit engages a leading security firm to perform extensive vulnerability scanning and penetration testing on an annual basis.  ConvertKit also crowdsources vulnerability assessments through its ongoing bug bounty program (see below for more information).

Internal Security

ConvertKit constantly monitors its infrastructure for vulnerabilities and performs penetration testing.

ConvertKit controls individual access to data within the company and grants a subset of individuals access to data based on their position in ConvertKit or on an as-needed basis. ConvertKit trains all employees on its security policies, processes for handling data, and laptop security on a regular basis. All ConvertKit employees sign a confidentiality agreement regarding the personal data of all ConvertKit users including specific provisions related to those individuals in the EU/EEA, UK, and Switzerland.

DDoS Protection

ConvertKit uses Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.

In-Transit and At-Rest Encryption

All data sent to or from ConvertKit’s infrastructure is protected with in-transit encryption using Transport Layer Security (TLS).

Stored data is encrypted at rest using industry-standard encryption protocols. Passwords are unidirectionally encrypted at the database level.

Infrastructure Continuity and Disaster Recovery

ConvertKit maintains an infrastructure continuity and disaster recovery plan in the event of an availability or performance issue. All major components of ConvertKit are redundant and failure-tolerant, and each of our data stores has an online hot backup in a separate data center with multiple days of snapshots.

Data Privacy 

ConvertKit is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, maintains compliance with the General Data Processing Regulation (GDPR), and relies on Standard Contractual Clauses (SCCs) to transfer and process personal data from the EU/EEA and UK to the United States. ConvertKit also offers features that enable its customers to comply with the requirements of the GDPR. More information about ConvertKit’s privacy practices are available in our Privacy Policy and Data Processing Agreement.

Bug Bounty Program 

In addition to internal vulnerability scanning and independent penetration testing, ConvertKit runs a bug bounty program and rewards independent security researchers who identify vulnerabilities in Please report all vulnerabilities here.

The future belongs to creators

ConvertKit helps creators like you take their projects from idea to reality. It's never been easier to build an audience and grow a business. And you can do it all for free.

Launch your next project