Kapwing's products are designed to protect user data and give customers control over their data. We take user trust seriously and follow these security best practices:
- All data is stored with cloud providers who have top-tier physical security controls.
- Data is encrypted in transit and at rest
- We peer review and test our code prior to release, including manual and automated checks for security issues.
- We only release software after qualifying it in development and staging environments.
- We provide SSO options for enterprises to secure their accounts
- We leverage logging and monitoring systems to detect threats and breaches.
This article answers some frequently asked questions about security and data handling at Kapwing.
Where is Kapwing's data stored?
All of Kapwing's servers are located in the USA (regions us-East1 and us-West1 on Google Cloud Platform). The servers are scaled up dynamically, with most go to US-East and overflow to US-West.
What data does Kapwing store?
We store as little sensitive data as possible and give control over what data users want to protect and share. Our database includes:
- User email address, name, and profile picture
- Team data, including the members of each workspace, workspace settings, and shared brand assets
- Project data, including uploaded assets and the operations of edits within a project
We do not store passwords or payment information. All payments and customer billing info is processed through Stripe, a secure third-party processor.
Kapwing is secured with an SSL certificate, with HTTPS urls that provide security and data integrity for user information. We use a global CDN to prevent network attacks and keep Kapwing online. All of our cloud instances are protected by Shielded VM.
Is data encrypted?
Data is encrypted. Videos are processed and stored on Google Cloud Platform servers, so we inherit encryption best practices from Google. User account and workspace information is stored with Mongodb Atlas. Both are stored primarily in the United States (with exceptions for some foreign users) and are encrypted at REST and in transit by default.
Learn more about Mongodb's encryption (https://docs.atlas.mongodb.com/security-kms-encryption/) and Google Cloud's encryption (https://cloud.google.com/security/encryption-at-rest).
The only unencrypted files are those created by anonymous users. Assets uploaded by signed-out users are publicly accessible, not tied to any account, and not connected with personally identifying information.
Who can access projects and assets created on Kapwing?
Public content is unlisted. Most user content on Kapwing is published publicly, which means that anyone with the project's unique ID can access it. This enables user to share content with others from a URL, even people who are not in their team. However, the video is not listed or available to browse in a public directory. We call this state "Unlisted," similar to the terms used by YouTube and Google Drive.
Pro and Enterprise users can make their projects private. When a file is private on Kapwing, only the creators and users with permission to access that file (in the same Workspace) can view, share or download it. If an unauthorized user attempts to access a private export, they will be redirected to the homepage and see an error message without viewing the assets or thumbnail.
Within a team, projects made in "Team Folders" are accessible to everyone in that Team. This enables a team to collaborate more easily, as multiple team members can give input, leave comments, download, review, and edit projects authored by others. Team projects can be shared with unauthorized users - like a client or a colleague who does not have a Kapwing license - will be in view only mode.
Pro and Enterprise customers can create "Private Folders." These projects are not visible to other members of the team, which can be useful for drafts and personal projects. If you create a project in your private folder, others will not be able to see it by default.
How can I be sure that my designs are private?
In Workspace settings, Pro and Enterprise users can change the default setting for new projects. If you're handling sensitive data, we recommend making the default setting "Private" so that unauthorized users cannot access the assets.
For an individual project in the Workspace, the project thumbnail will be marked with a privacy icon when private. From the Workspace, users can toggle between Private and Unlisted for a specific project.
Private projects are also marked as private on the final export page. The text "This video is unlisted" or "This video is private" appears below the video, once export completes. Similarly, the "Share" modal within the editor shows the privacy status.
Do Internal Kapwing Employees have access to my data?
What information security controls are in place?
Although Kapwing is a small company, we follow internal security best practices to ensure user data is used only as intended. These practices and policies include:
- Security training as part of onboarding
- Role-based permissions to ensure that employees have only as much access as is needed to do their job, on both first-party and third-party systems
- No credential sharing
- 2SV enforced for all internal employees
- Strict onboarding and offboarding procedures
Do you sell data to third-party vendors?
Does Kapwing comply with requirements under the General Data Protection Regulation (GDPR)?
How do users authenticate on Kapwing?
By default, users create a Kapwing account using Google OAuth, Facebook login, or clicking a unique link from their email to verify ownership.
Kapwing does not handle personal user login information like passwords or phone numbers. This makes sign-in seamless as users don't have to remember a new username or worry about losing their password. It is also more secure as we do not store passwords and require email verification for each login.
What data subprocessors does Kapwing use for it's service?
When evaluating vendors for our AI features, we evaluate vendors for security practices and work with certified, GDPR-compliant vendors only. Please see this full list of data subprocessors for more information.
Some of our AI tools, like image generation, magic fill, and script generation, leverage OpenAI's GPT technology. To power these features, we send the relevant prompt and image data to the GTP API. This request is encrypted, and no identifying information is shared.
How do admins manage account access?
In Workspace settings, Workspace admin can review, add, and remove members. They can also review, approve, and deny pending requests. To invite a new member, Workspace admins can input their email address or share an invitation URL with them.
When a member is removed, their seat is freed up and can be re-provisioned to a newly invited member.
Enterprise customers can contact their Account Manager to add and remove members from their Workspace.
Does Kapwing support 2-Factor Authentication?
Kapwing does not support two-factor authentication as part of the free or Pro offering. Google Workspace customers can leverage 2-factor authentication through the "Sign in with Google" integration. Enterprises interested in support for two-factor authentication, Microsoft Teams sign in, or SAML/SSO can contact sales to learn more about custom support for enterprise customers. SAML login is included in Kapwing for Enterprise.
How long is the data retained? How is it securely disposed of when no longer needed?
Kapwing users can delete their account and any associated data at any time from their account.
Who Do I Contact with Questions About User Data?
We do have a designated [email protected] email which is treated with priority in our customer support queue. Please contact us with any questions or requests regarding your data.
Do you have a bug bounty program?
No, we do not currently have a bug bounty program. However, our Silicon Valley-based engineering team reports and tracks security issues in our internal project management system. We address and close pending security issues during our quarterly bug bash.