// Trust & Security Report
Kit (formerly ConvertKit), operated by ConvertKit, LLC
Kit email marketing & creator monetization platform (formerly ConvertKit). Single SaaS product with add-on modules: Email marketing/Newsletters, Visual Automations, Forms & Landing pages, Recommendations, Commerce, Subscriber Signals, Kit App Store, and Kit + AI / Kit MCP.
Certifications held
2
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on kit.com“AWS's infrastructure security protections have been independently validated as part of its SOC 2 Type II and ISO 27001 certifications which are available at the AWS Compliance site. ... Cloudflare is ISO 27001:2013, ISO 27701:2019, ISO 27018:2019, and SOC 2 Type II certified.”
Verify on kit.com“Kit may use the following to lawfully transfer personal data to the United States and elsewhere: The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK extension to the EU-U.S DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF); or The Standard Contractual Clauses (SCCs) approved by the European Commission or the International Data Transfer Agreement (IDTA) approved by the UK Government.”
> Show 2 unconfirmed / not-held certifications
source: kit.comKit outsources hosting of its infrastructure to Amazon Web Services (AWS). AWS provides a high level of physical and network security and maintains an audited security program including SOC 2 and ISO 27001 compliance. ... AWS's infrastructure security protections have been independently validated as part of its SOC 2 Type II and ISO 27001 certifications.
source: kit.comKit also uses Cloudflare as our CDN and DNS provider. Cloudflare is ISO 27001:2013, ISO 27701:2019, ISO 27018:2019, and SOC 2 Type II certified.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
United States (primary). 'Kit is based in the United States, and we and our service providers process and store personal information on servers located in the United States and other countries.' DPA subprocessor list (Attachment 3) shows all ~13 subprocessors processing data in the USA. No EU/regional data residency option advertised.
Kit publishes no explicit 'we do not train AI on your data' guarantee. The DPA authorizes Kit to process deidentified data to improve the Services ('You authorize Kit to Process Deidentified Data to improve the Services') and lists OpenAI as a subprocessor for 'Application AI functionality.' Kit + AI and Kit MCP let customers connect their own external LLMs (Claude, ChatGPT, Gemini) to their Kit data under customer-controlled, revocable permissions ('You set the permissions and can revoke access anytime'). Net: identifiable subscriber data is not stated to be used for model training, but use of deidentified data to improve services and a third-party AI subprocessor (OpenAI) means a clean no-training assurance could not be confirmed. Flag for procurement if AI data-use is in scope.
// Security controls
Hosting / infrastructure
Amazon Web Services (AWS); Kit runs no own routers, load balancers, DNS, or physical servers. Cloudflare used as CDN/DNS.
kit.comBug bounty platform
Bugcrowd - continuous bug bounty program plus Vulnerability Disclosure Program (VDP) for kit.com.
kit.comPenetration / vulnerability testing
Continuous security testing via Bugcrowd + automated static code scanning (SAST) during development; constant infrastructure vulnerability monitoring. No standalone third-party pentest report is referenced publicly.
kit.comEncryption
In-transit encryption via TLS for all data to/from Kit infrastructure; passwords unidirectionally (hashed) encrypted at the database level. Encryption-at-rest for general data is not explicitly stated.
kit.comDDoS protection
DDoS mitigation services powered by an industry-leading solution (Cloudflare-class).
kit.comResilience / DR
Infrastructure continuity and disaster recovery plan; redundant, failure-tolerant components; hot online backups in a separate data center with multiple days of snapshots.
kit.comAccess control & personnel
Least-privilege/as-needed access to data; regular employee security training; confidentiality agreements covering EU/EEA, UK, Switzerland, California personal data.
kit.comAudit access (in lieu of own SOC 2 report)
Audit-on-request model: 'Upon Your written request not more than once per year ... Kit shall make available ... information necessary to confirm Kit's compliance with its Security Policy and this DPA.' No self-serve SOC 2 / ISO certificate is offered to customers.
kit.com// Products & data scope
data: Stores creator account data plus subscriber PII (email, name, tags, segments, engagement, custom fields). Governed by Privacy Policy (creator data) + DPA (subscriber data). US data processing.
Formerly ConvertKit. 13+ years, bootstrapped, 587M+ subscribers served. Free trial through paid Creator/Pro tiers.
data: Adds buyer/transaction data and payout handling on top of subscriber data. Payment processing via third-party subprocessor.
Sell digital products, memberships, paid newsletters; automated fulfillment with transaction fees.
data: Exposes the creator's Kit data (subscribers, broadcasts, automations) to connected external LLMs (Claude, ChatGPT, Gemini) under customer-granted, revocable permissions. OpenAI is a listed subprocessor for in-app AI functionality.
Newest module. Customer controls scope/permissions and can revoke. This is the highest data-exposure surface and the main reason AI data-use should be reviewed.
data: Enriches subscriber records with industry, location, and social-reach data ('Kit-verified audience data'). Increases the sensitivity/volume of profile data Kit holds about end subscribers.
Early-access/Pro feature; relevant to data-minimization and end-subscriber privacy review.
// What to watch
- Kit holds NO security certification of its own - no Kit-issued SOC 2 Type II or ISO 27001. The SOC 2 / ISO 27001 mentions on the security page belong to AWS and Cloudflare (inherited infrastructure compliance), not to Kit. Do not list Kit as SOC 2 / ISO 27001 certified.
- Compliance assurance is an audit-on-request model (max once/year, NDA required), not a downloadable attestation report. May not satisfy enterprise vendor-risk requirements.
- AI data-use is ambiguous: DPA authorizes processing deidentified data to improve the Services and lists OpenAI as an AI subprocessor; no explicit no-training guarantee. Relevant given this is an AI-tools directory and Kit MCP exposes subscriber data to external LLMs.
- Data residency is US-only with no regional option; EU/UK transfers rely on DPF + SCCs/IDTA.
- Brand transition: ConvertKit rebranded to Kit; some legacy assets (compliance.convertkit.com, abuse@convertkit.com) still carry the ConvertKit name.
// At a glance
Pricing model
Freemium SaaS - free tier + paid Creator/Pro subscription tiers (per-subscriber pricing); 14-day Pro free trial, no credit card. Plus transaction fees on Commerce sales.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Kit (formerly ConvertKit), operated by ConvertKit, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
kit.com