// Trust & Security Report
Kapwing Inc.
Kapwing is a browser-based video/audio editing SaaS (video editor, subtitler, transcription, audio editor) with an expanding suite of AI-powered tools (script generator, AI video generator, dubbing, voice cloning, B-roll generator) sold across Free, Pro, Team/Business (workspace), Enterprise, and Education tiers, plus a beta Plugin API for developers.
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on kapwing.com“Does Kapwing comply with GDPR? "Kapwing offers a Data Processing Addendum for eligible Enterprise customers" where Kapwing acts as a Processor for customer personal data under applicable data protection laws.”
> Show 6 unconfirmed / not-held certifications
source: kapwing.comIs Kapwing SOC 2 certified? "Kapwing does not currently publish a SOC 2 Type II report." Enterprise customers may request available security documentation under NDA.
source: kapwing.comNo public evidence. Kapwing's dedicated Security and Data Privacy FAQ enumerates internal controls (2SV enforcement, role-based permissions, audit logs, security training) and directly addresses SOC 2, but makes no mention of ISO 27001 certification anywhere on the page or elsewhere on kapwing.com.
source: kapwing.comNo public evidence. Kapwing's Security and Data Privacy FAQ, Privacy Policy, and Terms of Service make no reference to HIPAA, PHI handling, or a Business Associate Agreement (BAA) at any tier.
source: kapwing.comNot directly applicable to Kapwing. The Security & Data Privacy FAQ states: "We do not store passwords or payment information. All payments and customer billing info is processed through Stripe, a secure third-party processor." Stripe is listed on the sub-processors page for transaction processing, fraud prevention, and compliance; no PCI attestation is made by Kapwing itself.
source: kapwing.comNo public evidence. Despite dedicated FAQ answers on AI training and AI sub-processors, ISO/IEC 42001 or any AI-governance certification is not mentioned anywhere on Kapwing's site.
source: kapwing.comNo public evidence of a CSA STAR registry entry or self-assessment on Kapwing's own domain.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States only. "All of Kapwing's servers are located in the USA (regions us-East1 and us-West1 on Google Cloud Platform)." User/account data is stored in MongoDB Atlas, also primarily US-based. No EU/UK data residency option is documented.
Kapwing states explicitly: "No. Kapwing does not train AI models on customer content or customer personal data." For the 15+ third-party AI sub-processors it routes features through (OpenAI, ElevenLabs, Pika, Replicate, DeepL, BytePlus, etc.), Kapwing says it "seeks contractual restrictions, where available, preventing subprocessors from using API-submitted customer data to train their models" -- a best-effort posture, not an absolute guarantee for every sub-processor. Separately, the Privacy Policy states Voice Cloning recordings are "stored for research and development purposes, including the analysis, maintenance, and enhancement of our tools," which is a narrower, feature-specific exception worth flagging to prospective users of that feature.
// Security controls
Encryption in transit
Data is encrypted in transit by default (inherited from Google Cloud Platform and MongoDB Atlas).
kapwing.comEncryption at rest
User account/workspace data (MongoDB Atlas) and video content (GCP) are "encrypted at REST and in transit by default."
kapwing.comHosting / data location
All servers in the USA (GCP us-East1, overflow us-West1); MongoDB Atlas primarily US.
kapwing.comInternal access controls
Security training, role-based permissions, mandatory 2-step verification (2SV) for employees, formal onboarding/offboarding, hardware locks, restricted office access, monitored/anti-malware-protected laptops, and audit logs. Employee access to customer content is limited to support, bug investigation, reliability, Terms enforcement, or legal compliance.
kapwing.comCustomer authentication / MFA
Sign-in via Google OAuth, Apple, Microsoft, Facebook, or a magic email link. No native 2FA for self-serve/email-link login; MFA is available indirectly via Google Workspace SSO or Enterprise SAML/SSO (contact sales).
kapwing.comIncident response
"Logging and monitoring designed to detect security issues"; commits to notify affected customers "without undue delay" of a breach.
kapwing.comBug bounty
None. "No, we do not currently have a bug bounty program"; issues are tracked internally and addressed via quarterly bug-bash sessions.
kapwing.comDefault project visibility
Projects default to "unlisted" (viewable/commentable by anyone with the link); Pro/Enterprise workspaces can set default visibility to "Private," toggleable workspace-wide by an admin.
kapwing.comData deletion
Deleting a project or account removes the associated videos/data from Kapwing's database (project removal from public view is immediate, full server removal within 7 days per the Privacy Policy).
kapwing.com// Products & data scope
data: User-uploaded video/audio/image content and account profile data, processed and stored on GCP/MongoDB Atlas; projects default to link-shareable "unlisted."
No account required to browse or create; account needed to save projects. No compliance documentation offered at this tier.
data: Same infrastructure as Free tier; can set project visibility to Private.
No DPA or formal security documentation offered; same encryption and hosting posture as Free.
data: Shared workspace content and member/permission data; admin-controlled sharing settings.
Workspace admins manage member access and approve/deny join requests; per-seat billing.
data: Same underlying US-hosted infrastructure as other tiers, with added contractual protections.
Only tier offering a Data Processing Addendum, SAML/SSO, and security questionnaire responses / documentation under NDA. This is the tier that carries whatever compliance assurance Kapwing can currently offer -- self-serve tiers do not get a DPA.
data: Student- and teacher-generated content; school verification data (school name/address, proof of employment or registration) for verified EDU accounts.
Users under 13 are not permitted; supports COPPA-oriented parental review/deletion requests per the Privacy Policy.
// What to watch
- No SOC 2 Type II report published -- confirmed explicitly by the vendor's own Security & Data Privacy FAQ ('Kapwing does not currently publish a SOC 2 Type II report'). Enterprise customers can request questionnaire responses under NDA, but there is no publicly verifiable third-party audit.
- No evidence of ISO 27001, HIPAA/BAA, PCI DSS, ISO/IEC 42001, or CSA STAR anywhere on Kapwing's own domain, despite a security FAQ that otherwise answers cert-style questions in detail -- reads as an honest gap rather than a missed capture.
- GDPR posture is uneven across pages: the scraped Privacy Policy (effective Aug 2022, no visible more-recent revision date, and CCPA-focused) never mentions GDPR, EU data-subject rights, or an EU representative, while a separate Security FAQ states a DPA is available -- but only 'for eligible Enterprise customers.' Free/Pro/Team customers are not covered by a DPA.
- AI-training assurance has a carve-out: Kapwing's own no-training pledge is explicit and strong, but the pledge for its 15+ third-party AI sub-processors (OpenAI, ElevenLabs, Pika, Replicate, DeepL, BytePlus, etc.) is 'seeks contractual restrictions, where available' -- a best-effort, not an absolute, guarantee.
- Voice Cloning feature is a narrower exception: recorded voice data is 'stored for research and development purposes, including the analysis, maintenance, and enhancement of our tools' per the Privacy Policy -- distinct from, and slightly in tension with, the general 'we don't train on your content' messaging.
- No bug bounty program (explicitly confirmed); vulnerability handling relies on internal quarterly bug-bash sessions rather than external researcher incentives.
- All data hosting is US-only with no documented EU/UK residency option, which may be disqualifying for EU enterprise buyers with data-localization requirements.
// At a glance
Pricing model
Freemium SaaS subscription: Free, Pro, Business/Team (per-seat, monthly or annual), and custom-quoted Enterprise; EDU tier for schools.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Kapwing Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
kapwing.com