// Trust & Security Report

    Kit (formerly ConvertKit), operated by ConvertKit, LLC logo

    Kit (formerly ConvertKit), operated by ConvertKit, LLC

    Kit email marketing & creator monetization platform (formerly ConvertKit). Single SaaS product with add-on modules: Email marketing/Newsletters, Visual Automations, Forms & Landing pages, Recommendations, Commerce, Subscriber Signals, Kit App Store, and Kit + AI / Kit MCP.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    Inherited infrastructure compliance (AWS SOC 2 Type II / ISO 27001; Cloudflare SOC 2 Type II / ISO 27001/27701/27018)
    HELD

    AWS's infrastructure security protections have been independently validated as part of its SOC 2 Type II and ISO 27001 certifications which are available at the AWS Compliance site. ... Cloudflare is ISO 27001:2013, ISO 27701:2019, ISO 27018:2019, and SOC 2 Type II certified.

    Verify on kit.com
    EU-U.S. / UK / Swiss-U.S. Data Privacy Framework (DPF)
    HELD

    Kit may use the following to lawfully transfer personal data to the United States and elsewhere: The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK extension to the EU-U.S DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF); or The Standard Contractual Clauses (SCCs) approved by the European Commission or the International Data Transfer Agreement (IDTA) approved by the UK Government.

    Verify on kit.com
    > Show 2 unconfirmed / not-held certifications
    SOC 2 (Kit's own attestation)
    NOT CONFIRMED

    Kit outsources hosting of its infrastructure to Amazon Web Services (AWS). AWS provides a high level of physical and network security and maintains an audited security program including SOC 2 and ISO 27001 compliance. ... AWS's infrastructure security protections have been independently validated as part of its SOC 2 Type II and ISO 27001 certifications.

    source: kit.com
    ISO 27001 (Kit's own certificate)
    NOT CONFIRMED

    Kit also uses Cloudflare as our CDN and DNS provider. Cloudflare is ISO 27001:2013, ISO 27701:2019, ISO 27018:2019, and SOC 2 Type II certified.

    source: kit.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    United States (primary). 'Kit is based in the United States, and we and our service providers process and store personal information on servers located in the United States and other countries.' DPA subprocessor list (Attachment 3) shows all ~13 subprocessors processing data in the USA. No EU/regional data residency option advertised.

    Kit publishes no explicit 'we do not train AI on your data' guarantee. The DPA authorizes Kit to process deidentified data to improve the Services ('You authorize Kit to Process Deidentified Data to improve the Services') and lists OpenAI as a subprocessor for 'Application AI functionality.' Kit + AI and Kit MCP let customers connect their own external LLMs (Claude, ChatGPT, Gemini) to their Kit data under customer-controlled, revocable permissions ('You set the permissions and can revoke access anytime'). Net: identifiable subscriber data is not stated to be used for model training, but use of deidentified data to improve services and a third-party AI subprocessor (OpenAI) means a clean no-training assurance could not be confirmed. Flag for procurement if AI data-use is in scope.

    // Security controls

    Hosting / infrastructure

    Amazon Web Services (AWS); Kit runs no own routers, load balancers, DNS, or physical servers. Cloudflare used as CDN/DNS.

    kit.com

    Bug bounty platform

    Bugcrowd - continuous bug bounty program plus Vulnerability Disclosure Program (VDP) for kit.com.

    kit.com

    Penetration / vulnerability testing

    Continuous security testing via Bugcrowd + automated static code scanning (SAST) during development; constant infrastructure vulnerability monitoring. No standalone third-party pentest report is referenced publicly.

    kit.com

    Encryption

    In-transit encryption via TLS for all data to/from Kit infrastructure; passwords unidirectionally (hashed) encrypted at the database level. Encryption-at-rest for general data is not explicitly stated.

    kit.com

    DDoS protection

    DDoS mitigation services powered by an industry-leading solution (Cloudflare-class).

    kit.com

    Resilience / DR

    Infrastructure continuity and disaster recovery plan; redundant, failure-tolerant components; hot online backups in a separate data center with multiple days of snapshots.

    kit.com

    Access control & personnel

    Least-privilege/as-needed access to data; regular employee security training; confidentiality agreements covering EU/EEA, UK, Switzerland, California personal data.

    kit.com

    Audit access (in lieu of own SOC 2 report)

    Audit-on-request model: 'Upon Your written request not more than once per year ... Kit shall make available ... information necessary to confirm Kit's compliance with its Security Policy and this DPA.' No self-serve SOC 2 / ISO certificate is offered to customers.

    kit.com

    // Products & data scope

    Kit (core email marketing / newsletter platform)Email marketing & marketing automation

    data: Stores creator account data plus subscriber PII (email, name, tags, segments, engagement, custom fields). Governed by Privacy Policy (creator data) + DPA (subscriber data). US data processing.

    Formerly ConvertKit. 13+ years, bootstrapped, 587M+ subscribers served. Free trial through paid Creator/Pro tiers.

    Kit CommerceDigital product / paid newsletter / subscription sales

    data: Adds buyer/transaction data and payout handling on top of subscriber data. Payment processing via third-party subprocessor.

    Sell digital products, memberships, paid newsletters; automated fulfillment with transaction fees.

    Kit + AI / Kit MCPAI assistant / MCP integration

    data: Exposes the creator's Kit data (subscribers, broadcasts, automations) to connected external LLMs (Claude, ChatGPT, Gemini) under customer-granted, revocable permissions. OpenAI is a listed subprocessor for in-app AI functionality.

    Newest module. Customer controls scope/permissions and can revoke. This is the highest data-exposure surface and the main reason AI data-use should be reviewed.

    Subscriber SignalsAudience enrichment / analytics

    data: Enriches subscriber records with industry, location, and social-reach data ('Kit-verified audience data'). Increases the sensitivity/volume of profile data Kit holds about end subscribers.

    Early-access/Pro feature; relevant to data-minimization and end-subscriber privacy review.

    // What to watch

    • Kit holds NO security certification of its own - no Kit-issued SOC 2 Type II or ISO 27001. The SOC 2 / ISO 27001 mentions on the security page belong to AWS and Cloudflare (inherited infrastructure compliance), not to Kit. Do not list Kit as SOC 2 / ISO 27001 certified.
    • Compliance assurance is an audit-on-request model (max once/year, NDA required), not a downloadable attestation report. May not satisfy enterprise vendor-risk requirements.
    • AI data-use is ambiguous: DPA authorizes processing deidentified data to improve the Services and lists OpenAI as an AI subprocessor; no explicit no-training guarantee. Relevant given this is an AI-tools directory and Kit MCP exposes subscriber data to external LLMs.
    • Data residency is US-only with no regional option; EU/UK transfers rely on DPF + SCCs/IDTA.
    • Brand transition: ConvertKit rebranded to Kit; some legacy assets (compliance.convertkit.com, abuse@convertkit.com) still carry the ConvertKit name.

    // At a glance

    Pricing model

    Freemium SaaS - free tier + paid Creator/Pro subscription tiers (per-subscriber pricing); 14-day Pro free trial, no credit card. Plus transaction fees on Commerce sales.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Kit (formerly ConvertKit), operated by ConvertKit, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    kit.com

    > Browse all vendor trust reports