Security & Compliance

Enterprise-grade security protecting your most valuable data

Security isn't an afterthought at ConvergeKit—it's built into everything we do. We implement industry-leading security practices to protect your data and maintain your trust.

Security Features

Encryption Everywhere

All data encrypted in transit (TLS 1.3) and at rest (AES-256).

SOC 2 Type II Certified

Independently audited security controls and practices.

Regular Penetration Testing

Quarterly security audits by third-party experts.

GDPR & CCPA Compliant

Full compliance with data protection regulations.

Infrastructure Security

Hosted on enterprise-grade AWS infrastructure.

24/7 Monitoring

Real-time threat detection and incident response.

How We Protect Your Data

Data Encryption

  • In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
  • At Rest: All stored data is encrypted using AES-256 encryption
  • Database: Database encryption with automatic key rotation
  • Backups: All backups are encrypted and stored in geographically distributed locations

Access Controls

  • Multi-Factor Authentication (MFA): Required for all team members and available for customers
  • Role-Based Access Control (RBAC): Granular permissions based on user roles
  • Single Sign-On (SSO): Enterprise customers can use SAML-based SSO
  • IP Whitelisting: Restrict access to specific IP addresses
  • Session Management: Automatic session timeout and secure session handling

Infrastructure Security

  • Cloud Provider: Hosted on AWS with enterprise-grade security controls
  • Network Isolation: Private VPCs and network segmentation
  • DDoS Protection: Advanced DDoS mitigation and WAF
  • Intrusion Detection: 24/7 monitoring for suspicious activity
  • Automated Patching: Regular security updates and vulnerability patching

Application Security

  • Secure Development: Security-first development practices and code reviews
  • Dependency Scanning: Automated scanning for vulnerable dependencies
  • Input Validation: Comprehensive input validation to prevent injection attacks
  • OWASP Top 10: Protection against all OWASP Top 10 vulnerabilities
  • API Security: Rate limiting, authentication, and API key rotation

Monitoring & Incident Response

  • 24/7 Monitoring: Real-time security monitoring and alerting
  • Security Operations Center: Dedicated team monitoring for threats
  • Incident Response Plan: Documented procedures for security incidents
  • Audit Logging: Comprehensive audit trails for all system activities
  • Threat Intelligence: Integration with threat intelligence feeds

Employee Security

  • Background Checks: All employees undergo background checks
  • Security Training: Regular security awareness training for all staff
  • Principle of Least Privilege: Employees only have access to data they need
  • Confidentiality Agreements: All employees sign NDAs and security policies
  • Offboarding: Immediate access revocation upon employee departure

Compliance & Certifications

SOC 2 Type II

Annual security audit covering security, availability, processing integrity, confidentiality, and privacy.

Certified

GDPR

Full compliance with EU General Data Protection Regulation, including data portability and right to deletion.

Compliant

CCPA

California Consumer Privacy Act compliance with transparent data practices and consumer rights.

Compliant

ISO 27001

Information security management system certification (in progress).

In Progress

HIPAA

Healthcare data protection available for Enterprise customers with BAA.

Available

Data Privacy & Protection

Data Residency

We offer data residency options for customers with specific requirements:

  • US Region: Data stored in AWS US-East and US-West
  • EU Region: Data stored in AWS EU-West (Frankfurt) for GDPR compliance
  • Custom Regions: Enterprise customers can request specific regions

Data Retention & Deletion

  • Active data retained while account is active
  • Deleted accounts purged within 30 days
  • Backups retained for 90 days then permanently deleted
  • Right to erasure honored within 30 days
  • Secure data wiping using industry-standard methods

Third-Party Subprocessors

We use a limited number of trusted third-party subprocessors:

  • AWS: Cloud infrastructure and hosting
  • Stripe: Payment processing (PCI DSS Level 1 certified)
  • SendGrid: Transactional email delivery

All subprocessors are contractually required to maintain appropriate security standards. A complete list is available upon request.

Data Processing Agreements

For customers subject to GDPR or other data protection regulations, we provide Data Processing Agreements (DPAs) that include Standard Contractual Clauses. Enterprise customers can request custom DPAs.

Business Continuity & Disaster Recovery

Automated Backups

  • Continuous database replication to multiple regions
  • Hourly incremental backups
  • Daily full backups retained for 30 days
  • Encrypted backup storage with geographic redundancy

High Availability

  • 99.9% uptime SLA for all paid plans
  • Multi-region redundancy for critical services
  • Automatic failover for database and application servers
  • Load balancing across multiple availability zones

Disaster Recovery

  • RTO (Recovery Time Objective): 4 hours
  • RPO (Recovery Point Objective): 1 hour
  • Quarterly disaster recovery drills
  • Documented runbooks for all critical systems

Request Security Documentation

Enterprise customers can request detailed security documentation, including SOC 2 reports, penetration test results, and compliance certificates.

Contact Security Team

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:

Email: security@convergekit.io

PGP Key: Available upon request

Please do not publicly disclose vulnerabilities until we've had a chance to address them. We typically respond within 24 hours and aim to resolve critical issues within 72 hours.