Your Content, Your Control: How Privacy Works in Kontent.ai

Why should content teams care about privacy?

You might think privacy is purely an IT or legal concern. It isn't, and the numbers make the case clearly.
Since 2018, European regulators alone have imposed over €6.3 billion in GDPR fines across more than 3,100 enforcement actions. In 2024, aggregate fines reached €1.2 billion, with penalties hitting companies of all sizes, not just tech giants, but also e-commerce shops, SaaS startups, and marketing agencies.

Some of the most headline-grabbing cases are directly relevant to anyone working with content and digital platforms:

• TikTok was fined €530 million in 2025 by the Irish Data Protection Commission for transferring European users' personal data to servers in China without adequate safeguards.
• LinkedIn received a €310 million fine in 2024 for profiling users and serving targeted ads without a valid legal basis.
• Google was fined €90 million simply because its cookie banner made it easier to accept cookies than to reject them. 

The takeaway? Privacy failures aren't just about hackers or data breaches. They're about how organizations collect, store, and transfer personal data; exactly the kind of decisions that content platforms make every day on your behalf.

When you choose a CMS, you're choosing a partner in data stewardship. Here's how we approach that responsibility at Kontent.ai.

You choose where your data lives

Data residency, the physical location where your content and data are stored, is one of the most common questions we hear from customers. And for good reason. Many industries and regulations require that data stays within specific geographic boundaries.

When you create a project in Kontent.ai, you select your data center region. Today, we offer four multi-tenant regions:

For organizations with stricter requirements, our dedicated single-tenant infrastructure supports deployment in 40+ Azure regions worldwide, with additional controls like IP whitelisting, custom domain mapping, and domain-level access restrictions. 

This means you're not locked into a one-size-fits-all setup. Whether you're a media company in Sydney or a financial institution in Frankfurt, you can keep your data close to home.

Strong authentication keeps unauthorized users out

Your CMS is only as secure as the door that guards it. Kontent.ai provides multiple layers of authentication to make sure the right people (and only the right people) can access your content:

• Single Sign-On (SSO): Connect your existing identity provider — Azure AD, OKTA, ADFS, Office 365, and others — so your team logs in with the credentials they already use. No extra passwords to remember, no separate accounts to manage.
• Multifactor Authentication (MFA): Add a second verification step using an authenticator app. MFA can be self-managed by each user or enforced across your entire organization by email domain.
  These aren't optional extras bolted on later. They're part of the platform, designed to work together so your team stays productive without cutting corners on security.

Granular permissions let you control who sees what

Not everyone on your team needs access to everything. A freelance writer doesn't need to manage API keys. A regional editor shouldn't be able to publish content for a different market.

Kontent.ai's role-based access control (RBAC) lets you define custom roles scoped to specific Collections, Spaces, Workflow Steps, and Content Types. This means you can:

• Give an external agency access only to the content collection they're working on.
• Restrict publishing rights to senior editors while allowing junior creators to draft and submit.
• Separate development environments from production to avoid accidental exposure of sensitive data.
  This level of granularity helps you follow the principle of least privilege: a core privacy best practice that says people should only have the minimum access they need to do their job.

AI features you can turn on or off

AI-powered features can dramatically speed up content operations, from translation to image cropping to editorial suggestions. But they also mean your content is being processed by third-party AI models, and that's a legitimate privacy concern.

Here's how we handle it: every AI feature in Kontent.ai can be individually disabled in your project settings. When you turn a feature off, data transfer to the corresponding sub-processor stops immediately. 

Three additional commitments we make about AI and your data:

1. No training on your content. Neither Kontent.ai nor any of our AI sub-processors use your content to train AI models.
2. Zero-retention APIs. Our integration with Anthropic uses zero-retention endpoints. Prompts are held for a maximum of 7 days in transient logs for abuse monitoring, with no human access.
3. Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs) are in place with every AI sub-processor.
   The principle is simple: you stay in control. If your organization's policy or your customer's contract doesn't allow certain AI processing, you switch it off; no support ticket needed.

Encryption protects data in motion and at rest

All data transmitted to and from Kontent.ai is encrypted using TLS 1.3 or 1.2. Data stored on our servers is encrypted at rest with AES-256, one of the strongest encryption algorithms available today.
This applies to everything: your content items, assets, user metadata, and API communications.

Audit logs show you exactly what happened

When multiple people collaborate on content, you need visibility into who changed what and when. Kontent.ai's Audit Log records changes to content models and configuration for the last 90 days, including:

• What was changed (content types, snippets, asset types)
• Who made the change (specific user or API key)
• How it was made (through the UI or via API)
• Whether an AI feature was involved (marked as "via Aiko")

This kind of traceability isn't just good practice. It's often a requirement for organizations operating under GDPR, or industry-specific regulations.

You control who can access your published content

By default, content delivered through the Delivery API is publicly accessible, which makes sense for most websites and apps. But if you're working with sensitive, gated, or pre-release content, you can activate Secure Access, which requires an API key for every request.

The same applies to assets (images, documents, videos): you can restrict access so that files are only retrievable with a valid key. This is especially useful for organizations that publish internal documentation, premium content, or regulated materials.

We're transparent about what data we process

We publish a comprehensive, regularly updated list of all personal data types processed in Kontent.ai and every third-party service that receives data. This documentation is designed to help your privacy, legal, or compliance team map data flows and fulfill their own regulatory obligations, whether under GDPR, CCPA, Australia's Privacy Act, or other frameworks.

You can find this information at:

• Personal data in Kontent.ai
• Third-party vendors

Backed by internationally recognized certifications

Privacy claims are only as strong as the evidence behind them. Kontent.ai maintains a portfolio of independent certifications and attestations:

We're also a signatory of the EU AI Pact and the Cloud Security Alliance's AI Trustworthy Pledge, reflecting our commitment to responsible AI practices beyond what's legally required.

All certificates and attestation reports are available through our Trust Center.