Kinde takes data privacy and security very seriously. We want you to trust us and our systems, which is why we engaged in external certification audits and conducted self assessments against globally recognized privacy and security frameworks to ensure our technology infrastructure and your data are kept secure.

Kinde is ISO 27001:2022 certified by Compass Assurance Services and maintains an information security management system (ISMS) with a dedicated internal security team. Our public listing is available on the JASANZ certified organizations register and the IAF CertSearch register. Reach out to our team if a copy of our certificate is required.

ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an ISMS within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

Kinde has completed a SOC 2 Type 1 with report and attestation from AssuranceLab. Reach out to our team if a copy of our report is required. Note that receiving a copy will require an NDA as there’s sensitive information in the report.

A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

Kinde is compliant with the GDPR and supports our customers by maintaining strict privacy principles as a Data Processor.

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation on information privacy. It came into effect on May 25, 2018 and places obligations for any company targeting or collecting data related to people in the EU. It’s goal is to increase privacy protections for individuals and standardise data privacy laws across the various EU member countries.

More information about the GDPR and what Kinde does for comply with it can be found on our GDPR page.

Kinde is HIPAA compliant and supports our customers as a Business Associate. Reach out to our team if you need a Business Associate Agreement in place before working with us.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law on how to protect sensitive health information, known as Protected Health Information (PHI), which led to the creation of the Privacy Rule and Security Rule. It has since been updated with additional rules and supplemented by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.

Kinde has completed a Consensus Assessments Initiative Questionnaire (CAIQ) from the Cloud Security Alliance and submitted to their public STAR registry as a Level 1 self-assessment.

Founded in 2013 by the Cloud Security Alliance, the Security Trust Assurance and Risk (STAR) registry encompasses key principles of transparency, rigorous auditing, and cloud security and privacy best practices.

Kinde has completed a Minimum Viable Secure Product (MVSP) self-assessment and implemented all recommended controls. Reach out to our team if you need to review our responses or have questions about specific controls.

MVSP is a list of essential application security controls that should be implemented in enterprise-ready products and services. The controls are designed to be simple to implement and provide a good foundation for building secure and resilient systems and services.

Please note that Kinde does not hold a PCI-DSS Report on Compliance (ROC) from a Qualified Security Assessor (QSA).

In preparation for Kinde’s upcoming customer billing feature, we have engaged with a QSA to validate our scoping and we are preparing the necessary Self Assessment Questionnaire (SAQ) to meet the PCI-DSS requirements for processing cardholder data. Currently we use a third party service provider and their SAQ-A scoped method, which greatly reduces the scope that Kinde has to meet as a PCI-DSS Service Provider.

Our SAQ and Attestation of Compliance (AOC) will be available when scoping work is completed and will transition to a Level 1 Service Provider when the necessary transaction volume is reached.