// Trust & Security Report

    Kapwing Inc. logo

    Kapwing Inc.

    Kapwing is a browser-based video/audio editing SaaS (video editor, subtitler, transcription, audio editor) with an expanding suite of AI-powered tools (script generator, AI video generator, dubbing, voice cloning, B-roll generator) sold across Free, Pro, Team/Business (workspace), Enterprise, and Education tiers, plus a beta Plugin API for developers.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture / DPA)
    HELD

    Does Kapwing comply with GDPR? "Kapwing offers a Data Processing Addendum for eligible Enterprise customers" where Kapwing acts as a Processor for customer personal data under applicable data protection laws.

    Verify on kapwing.com
    > Show 6 unconfirmed / not-held certifications
    SOC 2 (Type I/II)
    NOT CONFIRMED

    Is Kapwing SOC 2 certified? "Kapwing does not currently publish a SOC 2 Type II report." Enterprise customers may request available security documentation under NDA.

    source: kapwing.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. Kapwing's dedicated Security and Data Privacy FAQ enumerates internal controls (2SV enforcement, role-based permissions, audit logs, security training) and directly addresses SOC 2, but makes no mention of ISO 27001 certification anywhere on the page or elsewhere on kapwing.com.

    source: kapwing.com
    HIPAA
    NOT CONFIRMED

    No public evidence. Kapwing's Security and Data Privacy FAQ, Privacy Policy, and Terms of Service make no reference to HIPAA, PHI handling, or a Business Associate Agreement (BAA) at any tier.

    source: kapwing.com
    PCI DSS
    NOT CONFIRMED

    Not directly applicable to Kapwing. The Security & Data Privacy FAQ states: "We do not store passwords or payment information. All payments and customer billing info is processed through Stripe, a secure third-party processor." Stripe is listed on the sub-processors page for transaction processing, fraud prevention, and compliance; no PCI attestation is made by Kapwing itself.

    source: kapwing.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Despite dedicated FAQ answers on AI training and AI sub-processors, ISO/IEC 42001 or any AI-governance certification is not mentioned anywhere on Kapwing's site.

    source: kapwing.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of a CSA STAR registry entry or self-assessment on Kapwing's own domain.

    source: kapwing.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States only. "All of Kapwing's servers are located in the USA (regions us-East1 and us-West1 on Google Cloud Platform)." User/account data is stored in MongoDB Atlas, also primarily US-based. No EU/UK data residency option is documented.

    Kapwing states explicitly: "No. Kapwing does not train AI models on customer content or customer personal data." For the 15+ third-party AI sub-processors it routes features through (OpenAI, ElevenLabs, Pika, Replicate, DeepL, BytePlus, etc.), Kapwing says it "seeks contractual restrictions, where available, preventing subprocessors from using API-submitted customer data to train their models" -- a best-effort posture, not an absolute guarantee for every sub-processor. Separately, the Privacy Policy states Voice Cloning recordings are "stored for research and development purposes, including the analysis, maintenance, and enhancement of our tools," which is a narrower, feature-specific exception worth flagging to prospective users of that feature.

    // Security controls

    Encryption in transit

    Data is encrypted in transit by default (inherited from Google Cloud Platform and MongoDB Atlas).

    kapwing.com

    Encryption at rest

    User account/workspace data (MongoDB Atlas) and video content (GCP) are "encrypted at REST and in transit by default."

    kapwing.com

    Hosting / data location

    All servers in the USA (GCP us-East1, overflow us-West1); MongoDB Atlas primarily US.

    kapwing.com

    Internal access controls

    Security training, role-based permissions, mandatory 2-step verification (2SV) for employees, formal onboarding/offboarding, hardware locks, restricted office access, monitored/anti-malware-protected laptops, and audit logs. Employee access to customer content is limited to support, bug investigation, reliability, Terms enforcement, or legal compliance.

    kapwing.com

    Customer authentication / MFA

    Sign-in via Google OAuth, Apple, Microsoft, Facebook, or a magic email link. No native 2FA for self-serve/email-link login; MFA is available indirectly via Google Workspace SSO or Enterprise SAML/SSO (contact sales).

    kapwing.com

    Incident response

    "Logging and monitoring designed to detect security issues"; commits to notify affected customers "without undue delay" of a breach.

    kapwing.com

    Bug bounty

    None. "No, we do not currently have a bug bounty program"; issues are tracked internally and addressed via quarterly bug-bash sessions.

    kapwing.com

    Default project visibility

    Projects default to "unlisted" (viewable/commentable by anyone with the link); Pro/Enterprise workspaces can set default visibility to "Private," toggleable workspace-wide by an admin.

    kapwing.com

    Data deletion

    Deleting a project or account removes the associated videos/data from Kapwing's database (project removal from public view is immediate, full server removal within 7 days per the Privacy Policy).

    kapwing.com

    // Products & data scope

    Kapwing Free / ConsumerConsumer video editing (freemium)

    data: User-uploaded video/audio/image content and account profile data, processed and stored on GCP/MongoDB Atlas; projects default to link-shareable "unlisted."

    No account required to browse or create; account needed to save projects. No compliance documentation offered at this tier.

    Kapwing ProProsumer / individual paid

    data: Same infrastructure as Free tier; can set project visibility to Private.

    No DPA or formal security documentation offered; same encryption and hosting posture as Free.

    Kapwing Team / Business (Workspace)SMB / team collaboration

    data: Shared workspace content and member/permission data; admin-controlled sharing settings.

    Workspace admins manage member access and approve/deny join requests; per-seat billing.

    Kapwing EnterpriseEnterprise

    data: Same underlying US-hosted infrastructure as other tiers, with added contractual protections.

    Only tier offering a Data Processing Addendum, SAML/SSO, and security questionnaire responses / documentation under NDA. This is the tier that carries whatever compliance assurance Kapwing can currently offer -- self-serve tiers do not get a DPA.

    Kapwing for Education (EDU)Education

    data: Student- and teacher-generated content; school verification data (school name/address, proof of employment or registration) for verified EDU accounts.

    Users under 13 are not permitted; supports COPPA-oriented parental review/deletion requests per the Privacy Policy.

    // What to watch

    • No SOC 2 Type II report published -- confirmed explicitly by the vendor's own Security & Data Privacy FAQ ('Kapwing does not currently publish a SOC 2 Type II report'). Enterprise customers can request questionnaire responses under NDA, but there is no publicly verifiable third-party audit.
    • No evidence of ISO 27001, HIPAA/BAA, PCI DSS, ISO/IEC 42001, or CSA STAR anywhere on Kapwing's own domain, despite a security FAQ that otherwise answers cert-style questions in detail -- reads as an honest gap rather than a missed capture.
    • GDPR posture is uneven across pages: the scraped Privacy Policy (effective Aug 2022, no visible more-recent revision date, and CCPA-focused) never mentions GDPR, EU data-subject rights, or an EU representative, while a separate Security FAQ states a DPA is available -- but only 'for eligible Enterprise customers.' Free/Pro/Team customers are not covered by a DPA.
    • AI-training assurance has a carve-out: Kapwing's own no-training pledge is explicit and strong, but the pledge for its 15+ third-party AI sub-processors (OpenAI, ElevenLabs, Pika, Replicate, DeepL, BytePlus, etc.) is 'seeks contractual restrictions, where available' -- a best-effort, not an absolute, guarantee.
    • Voice Cloning feature is a narrower exception: recorded voice data is 'stored for research and development purposes, including the analysis, maintenance, and enhancement of our tools' per the Privacy Policy -- distinct from, and slightly in tension with, the general 'we don't train on your content' messaging.
    • No bug bounty program (explicitly confirmed); vulnerability handling relies on internal quarterly bug-bash sessions rather than external researcher incentives.
    • All data hosting is US-only with no documented EU/UK residency option, which may be disqualifying for EU enterprise buyers with data-localization requirements.

    // At a glance

    Pricing model

    Freemium SaaS subscription: Free, Pro, Business/Team (per-seat, monthly or annual), and custom-quoted Enterprise; EDU tier for schools.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Kapwing Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    kapwing.com

    > Browse all vendor trust reports