Security at Kontent.ai

General

At Kontent.ai, privacy and security are paramount. We have embedded security in everything we do, including Security Development Lifecycle (SDLC) in our Agile processes. This helps us reduce the number of security flaws and their severity. Read more about SDLC for agile.

Moreover, all our development team members must attend unique security training focused on writing secure code, doing a security code review, and performing security testing. We also regularly do a code review as well as website security scans. The security review is performed:

  • manually—by our internal team and external penetration testers
  • automatically—we use scanners and other security tools to ensure Kontent.ai is free of any security vulnerabilities

Security reviews cover exploitations, including the most frequently occurring vulnerabilities defined as TOP 10 by OWASP standards. Any found vulnerability is inspected by our security experts and fixed within a few hours/days, based on its severity.

Data storage

Kontent.ai stores the data in Microsoft Azure storages. You can choose to store your project data in a data center in Europe (the Netherlands), the United States (Virginia), or Australia (East Coast). By choosing the location of the data center, your project data and tracked visitor data are stored in the selected area. Project data represents all your content created within the Kontent.ai application. This does not include the user (meta)data required for the Kontent.ai service to work, which will always be stored in the data center located in West Europe. You can find more information about data centers here.

Kontent.ai uses a global Content Delivery Network (CDN) powered by Fastly to deliver content from your website. The CDN has edge nodes all around the world, ensuring fast content delivery no matter the destination.

All data is encrypted by default. We also back up the data daily and store the backups for 30 days.

Availability

We continuously monitor all our services to ensure the highest availability. You can find the status information of all our services on this status page, together with information about the planned maintenance. The Enterprise and Scale plans automatically come with a guaranteed Service Level Agreement (SLA) on the service availability, and you can optionally get an SLA on support response time.

Payment information

Kontent.ai uses FastSpring as a payment provider, and we do not store any credit card information. FastSpring processes payment data securely. All FastSpring stores are PCI compliant and adhere to PCI DSS.

Compliance with privacy regulations

We take compliance with privacy regulations, including General Data Protection Regulation (GDPR), seriously. You can find more information about Kontent.ai's commitment to GPDR compliance on this page.

SOC 2 compliance

Service Organization Controls (SOC) reports are for service providers that store customer data in the cloud. They prove that providers can securely manage the data and protect the privacy and interests of their customers. Kontent.ai is SOC 2 Type 2 compliant, and our reports cover the following Trust Services Criteria (TSC) that are relevant to the services we provide:

  • General (common) TSC
  • Security
  • Availability
  • Confidentiality

Maintaining SOC 2 Type 2 examinations demonstrate our continuous commitment to information security and protecting our customers’ sensitive data against breaches. You can request our latest SOC 2 Type 2 Report from your sales or Customer Success representative or via security@kontent.ai (NDA required).

ISO certifications

International Organization for Standardization (ISO) sets up standards for management systems. ISO certifications recognize organizations worldwide that successfully pass third-party audits. The audits determine whether processes, products, and services fulfill the criteria of relevant standards.

All Kontent.ai services are hosted in the MS Azure infrastructure. Microsoft data centers comply with the following security and data privacy standards – ISO 27001, ISO 9001, ISO 20000-1, and others.

Currently, Kontent.ai is the holder of both ISO/IEC 27001 and ISO/IEC 27017 security certifications.

Kontent.ai security reviews

Kontent.ai performs regular penetration tests of the product and relevant infrastructure. Apart from that, there are regular reviews and audits of the product, internal processes, and 3rd party services we are using. We use both internal and external auditors to help us find potential weaknesses and areas for improvement.

If you are interested in security assessment results, contact us through your sales or Customer Success representative or via security@kontent.ai (NDA required).

Reporting incidents

In case of an incident affecting the Kontent.ai application or customer data, Kontent.ai will take steps to inform affected customers without undue delay, with a target timeframe of at most 72 hours from becoming aware of such incidents. For incidents affecting:

  • Availability of the Kontent.ai application, the information is provided via https://status.kontent.ai/, and customers can subscribe to updates there
  • Confidentiality or integrity of customer data, Kontent.ai informs affected customers directly

The reports contain information about the incident response from Kontent.ai and, if applicable, any steps taken or planned to prevent such incidents in the future. The contact address for handling security incidents is security@kontent.ai.

Reporting security issues

If you believe you have found a security issue in Kontent.ai, please follow the steps outlined in our Vulnerability Disclosure Policy.

For intellectual property rights issues or complaints, contact compliance@kontent.ai.