// Trust & Security Report
Kong Inc.
Kong Insomnia is a collaborative API development platform for designing, testing, mocking, and debugging APIs. Core offerings include free tier (local/Git storage, unlimited projects), Team plan (shared workspace collaboration), and Enterprise plan (SOC 2 access, SSO, SCIM, vault integrations, SLAs). Includes native Kong Konnect integration, MCP server testing support, and AI-powered features (AI Runner).
Certifications held
2
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on konghq.com“Kong's SOC 2 Type II report confirms the design and effectiveness of non-financial controls related to security, availability, and confidentiality across Kong Konnect, Konnect Dedicated Cloud Gateways, Kong Insomnia, Kong Gateway Enterprise, Kong AI Gateway, and Kong Mesh.”
Verify on konghq.com“Kong Insomnia has completed a CSA STAR Level 1 self-assessment with a CAIQ v4.0.3 questionnaire, and this details Kong's security, privacy, and compliance practices aligned with the Cloud Controls Matrix.”
> Show 4 unconfirmed / not-held certifications
source: trust.konghq.comNo public evidence of ISO 27001 certification for Insomnia found in vendor documentation or Kong's compliance materials.
source: insomnia.restKong maintains GDPR compliance via Data Protection Addendum (DPA) at https://konghq.com/legal/data-protection-addendum. Not a formal certification but enforceable contractual compliance. Data stored outside EU (GCP US Central region).
source: konghq.comHIPAA compliance is customer-dependent, not a vendor certification. Terms state: 'Customer may not store or process any payment cardholder information (PCI) or protected health information (PHI) in Project Data through the Cloud Services.'
source: konghq.comPCI DSS compliance is customer-dependent configuration. Kong does not store financial data by default. Customers must complete their own Self-Assessment Questionnaire (SAQ).
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
GCP US Central region (not EU-compliant by default). Users can enforce local or Git-based storage for full data control.
AI Runner features use data that is NOT end-to-end encrypted and NOT considered 'Project Data' per ToS. Detailed AI training policy unavailable (AI Runner Policy link returns 404). Data handling for AI features not fully transparent.
// Security controls
Encryption in transit
TLS 1.2+ for all data in transit; SRP (Secure Remote Password) protocol for authentication
developer.konghq.comEncryption at rest (synced data)
AES-GCM-256 symmetric encryption for synced project data; end-to-end encryption (E2EE) optional with user-controlled passphrase (Insomnia does not store passphrases)
developer.konghq.comEncryption at rest (local data)
Local data on disk NOT encrypted in Scratch Pad; recommended for sensitive work only if using Git or Cloud storage with E2EE
developer.konghq.comAuthentication
OIDC, SAML, and SCIM support for Enterprise SSO; RFC-2945 SRP for paid plans
insomnia.restAccess control
Role-based access control (RBAC), team management, domain management, invite controls (Enterprise)
insomnia.restIncident response
Documented incident response and vulnerability management process; breach notification per GDPR obligations
developer.konghq.comData deletion
Account owners can request permanent deletion; Kong retains backups as per 'legitimate interest' (GDPR-permissible) and only removes from backups if legally compelled
insomnia.rest// Products & data scope
data: Local-only by default; no cloud sync unless user opts-in to paid plans. Git Sync available.
No login required for Scratch Pad; unlimited projects; unlimited collection runner; native MCP client; free HTTP, gRPC, GraphQL, Socket.io, WSS+SSE support. Open-source core.
data: Cloud storage with collaborative workspace. End-to-end encryption optional.
Git Sync for up to 3 team members; real-time collaboration; 3-way merge; shared collections. No SOC 2 access.
data: Flexible storage: local-only, Git, or cloud. Supports data residency mandates. E2EE available.
SOC 2 Type II access (under NDA); enterprise support with SLAs; SSO (SAML/OIDC) and SCIM; vault integrations (AWS, GCP, Azure, HashiCorp); domain management; custom invoicing. $45/user/month.
data: Native integration with Kong's API gateway and API catalog.
Endpoint discovery from Konnect as source of truth; automatic API sync; governance at scale. Enterprise plan feature.
data: CLI-based; no persistent data storage beyond local cache.
OpenAPI spec validation and linting; push-to-gateway automation; Kubernetes Ingress support; Developer Portal integration.
// What to watch
- SOC 2 Type II report available only under NDA (standard enterprise practice, not a red flag). Actual audit scope and review period not publicly detailed.
- GDPR compliance is policy-based via DPA, not a formal 'GDPR certification.' Data stored in US (GCP US Central) by default, outside EU jurisdiction.
- AI Runner feature data is explicitly NOT end-to-end encrypted and NOT covered by E2EE. AI training policy (referenced in ToS) returns 404 and is inaccessible for independent verification. Recommend requesting detailed AI data usage policy before enterprise adoption.
- HIPAA and PCI DSS are explicitly NOT vendor certifications; customers bear compliance responsibility based on their configuration and use case. Insomnia's architecture does not restrict storage of PHI or PCI data in project files if user configures it.
- Homepage states 'Access enterprise certifications like SOC 2 Type 2' which is technically accurate but could be misread as Insomnia's own cert vs. Kong's cert covering Insomnia. Insomnia does not have independent compliance certifications (CSA STAR and SOC 2 are under Kong Inc. as vendor).
- No ISO 27001 certification found for Insomnia or Kong. CSA STAR Level 1 is self-assessment, not third-party audited.
// At a glance
Pricing model
Freemium: Free tier (local/Git, unlimited projects), Team plan (cloud collaboration, ~$12-15/user/month est.), Enterprise plan ($45/user/month with custom options). Custom annual agreements available.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Kong Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.konghq.com