// Trust & Security Report

    Kong Inc. logo

    Kong Inc.

    Kong Insomnia is a collaborative API development platform for designing, testing, mocking, and debugging APIs. Core offerings include free tier (local/Git storage, unlimited projects), Team plan (shared workspace collaboration), and Enterprise plan (SOC 2 access, SSO, SCIM, vault integrations, SLAs). Includes native Kong Konnect integration, MCP server testing support, and AI-powered features (AI Runner).

    Certifications held

    2

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Kong's SOC 2 Type II report confirms the design and effectiveness of non-financial controls related to security, availability, and confidentiality across Kong Konnect, Konnect Dedicated Cloud Gateways, Kong Insomnia, Kong Gateway Enterprise, Kong AI Gateway, and Kong Mesh.

    Verify on konghq.com
    CSA STAR Level 1
    HELD

    Kong Insomnia has completed a CSA STAR Level 1 self-assessment with a CAIQ v4.0.3 questionnaire, and this details Kong's security, privacy, and compliance practices aligned with the Cloud Controls Matrix.

    Verify on konghq.com
    > Show 4 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification for Insomnia found in vendor documentation or Kong's compliance materials.

    source: trust.konghq.com
    GDPR Compliance (Policy-based)
    NOT CONFIRMED

    Kong maintains GDPR compliance via Data Protection Addendum (DPA) at https://konghq.com/legal/data-protection-addendum. Not a formal certification but enforceable contractual compliance. Data stored outside EU (GCP US Central region).

    source: insomnia.rest
    HIPAA
    NOT CONFIRMED

    HIPAA compliance is customer-dependent, not a vendor certification. Terms state: 'Customer may not store or process any payment cardholder information (PCI) or protected health information (PHI) in Project Data through the Cloud Services.'

    source: konghq.com
    PCI DSS
    NOT CONFIRMED

    PCI DSS compliance is customer-dependent configuration. Kong does not store financial data by default. Customers must complete their own Self-Assessment Questionnaire (SAQ).

    source: konghq.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    GCP US Central region (not EU-compliant by default). Users can enforce local or Git-based storage for full data control.

    AI Runner features use data that is NOT end-to-end encrypted and NOT considered 'Project Data' per ToS. Detailed AI training policy unavailable (AI Runner Policy link returns 404). Data handling for AI features not fully transparent.

    // Security controls

    Encryption in transit

    TLS 1.2+ for all data in transit; SRP (Secure Remote Password) protocol for authentication

    developer.konghq.com

    Encryption at rest (synced data)

    AES-GCM-256 symmetric encryption for synced project data; end-to-end encryption (E2EE) optional with user-controlled passphrase (Insomnia does not store passphrases)

    developer.konghq.com

    Encryption at rest (local data)

    Local data on disk NOT encrypted in Scratch Pad; recommended for sensitive work only if using Git or Cloud storage with E2EE

    developer.konghq.com

    Authentication

    OIDC, SAML, and SCIM support for Enterprise SSO; RFC-2945 SRP for paid plans

    insomnia.rest

    Access control

    Role-based access control (RBAC), team management, domain management, invite controls (Enterprise)

    insomnia.rest

    Incident response

    Documented incident response and vulnerability management process; breach notification per GDPR obligations

    developer.konghq.com

    Data deletion

    Account owners can request permanent deletion; Kong retains backups as per 'legitimate interest' (GDPR-permissible) and only removes from backups if legally compelled

    insomnia.rest

    // Products & data scope

    Insomnia (Free/Open Source)API Development & Testing

    data: Local-only by default; no cloud sync unless user opts-in to paid plans. Git Sync available.

    No login required for Scratch Pad; unlimited projects; unlimited collection runner; native MCP client; free HTTP, gRPC, GraphQL, Socket.io, WSS+SSE support. Open-source core.

    Insomnia TeamAPI Development & Testing

    data: Cloud storage with collaborative workspace. End-to-end encryption optional.

    Git Sync for up to 3 team members; real-time collaboration; 3-way merge; shared collections. No SOC 2 access.

    Insomnia EnterpriseAPI Development & Testing

    data: Flexible storage: local-only, Git, or cloud. Supports data residency mandates. E2EE available.

    SOC 2 Type II access (under NDA); enterprise support with SLAs; SSO (SAML/OIDC) and SCIM; vault integrations (AWS, GCP, Azure, HashiCorp); domain management; custom invoicing. $45/user/month.

    Kong Insomnia + Kong KonnectAPI Management Integration

    data: Native integration with Kong's API gateway and API catalog.

    Endpoint discovery from Konnect as source of truth; automatic API sync; governance at scale. Enterprise plan feature.

    Insomnia Inso CLICI/CD Automation

    data: CLI-based; no persistent data storage beyond local cache.

    OpenAPI spec validation and linting; push-to-gateway automation; Kubernetes Ingress support; Developer Portal integration.

    // What to watch

    • SOC 2 Type II report available only under NDA (standard enterprise practice, not a red flag). Actual audit scope and review period not publicly detailed.
    • GDPR compliance is policy-based via DPA, not a formal 'GDPR certification.' Data stored in US (GCP US Central) by default, outside EU jurisdiction.
    • AI Runner feature data is explicitly NOT end-to-end encrypted and NOT covered by E2EE. AI training policy (referenced in ToS) returns 404 and is inaccessible for independent verification. Recommend requesting detailed AI data usage policy before enterprise adoption.
    • HIPAA and PCI DSS are explicitly NOT vendor certifications; customers bear compliance responsibility based on their configuration and use case. Insomnia's architecture does not restrict storage of PHI or PCI data in project files if user configures it.
    • Homepage states 'Access enterprise certifications like SOC 2 Type 2' which is technically accurate but could be misread as Insomnia's own cert vs. Kong's cert covering Insomnia. Insomnia does not have independent compliance certifications (CSA STAR and SOC 2 are under Kong Inc. as vendor).
    • No ISO 27001 certification found for Insomnia or Kong. CSA STAR Level 1 is self-assessment, not third-party audited.

    // At a glance

    Pricing model

    Freemium: Free tier (local/Git, unlimited projects), Team plan (cloud collaboration, ~$12-15/user/month est.), Enterprise plan ($45/user/month with custom options). Custom annual agreements available.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Kong Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.konghq.com

    > Browse all vendor trust reports