Security and Data Privacy Center

Kapwing's products are designed to protect user data and give customers control over their data. We take user trust seriously and follow these security best practices. Security posture overview:

Providers: Google Cloud Platform in US Regions for Data Hosting and Storage and MongoDB Atlas for Database
Encryption: Data is encrypted in transit and at rest
SSO: SAML SSO for Enterprise customers only
MFA: Two-Factor Auth be enforced through through IdP / Google Workspace for all customers or SSO for Enterprise customers
Data Processing Agreement: Available for Enterprise customers
Data Subprocessors: Published and maintained in this Help Center article. Some customization is possible for high-value Enterprise contracts only.
AI Training: Kapwing does not train models on customer data. For Kapwing for Enterprise customers, we ensure that all data subprocessors also do not use data for training.
Security Questionnaires: Available under NDA for Enterprise evaluations
Data deletion: Account and project deletion is supported for all customers. Customer data deleted after 30 days.

This article answers some frequently asked questions about security and data handling at Kapwing.

Where is Kapwing's data stored?

All of Kapwing's servers are located in the USA (regions us-East1 and us-West1 on Google Cloud Platform). The servers are scaled up dynamically, with most go to US-East and overflow to US-West.

What data does Kapwing store?

We store as little sensitive data as possible and give control over what data users want to protect and share. Our database includes:

User email address, name, and profile picture
Team data, including the members of each workspace, workspace settings, and shared brand assets
Project data, including uploaded assets and the operations of edits within a project

We do not store passwords or payment information. All payments and customer billing info is processed through Stripe, a secure third-party processor.

Kapwing is secured with an SSL certificate, with HTTPS urls that provide security and data integrity for user information. We use a global CDN to prevent network attacks and keep Kapwing online. All of our cloud instances are protected by Shielded VM.

Is data encrypted?

Data is encrypted. Videos are processed and stored on Google Cloud Platform servers, so we inherit encryption best practices from Google. User account and workspace information is stored with Mongodb Atlas. Both are stored primarily in the United States (with exceptions for some foreign users) and are encrypted at REST and in transit by default.

Learn more about Mongodb's encryption () and Google Cloud's encryption.

When users are signed out, their uploaded files are accessible to anyone with that unique link. The projects made by anonymous users are not tied to any account and not connected with personally identifying information. Users with sensitive content should sign in when using Kapwing to ensure uploads are private or only accessible to authorized workspace users.

Who can access projects and assets created on Kapwing?

By default, Kapwing projects are shared as unlisted, depending on workspace settings and plan. Anyone with the project's unique ID can view and comment on an unlisted project. This enables user to share content with others from a URL, even people who are not in their team.

Unlisted videos are not available to browse in a public directory, so it's similar to the "Unlisted" state on YouTube and Google Drive.

Pro and Enterprise users can make their projects private. When a file is private on Kapwing, only the creators and users with permission to access that file (in the same Workspace) can view, share or download it. If an unauthorized user attempts to access a private export, they will be redirected to the homepage and see an error message without viewing the assets or thumbnail.

Within a team, projects made in "Team Folders" are accessible to everyone in that Team. This enables a team to collaborate more easily, as multiple team members can give input, leave comments, download, review, and edit projects authored by others. Team projects can be shared with unauthorized users - like a client or a colleague who does not have a Kapwing license - will be in view only mode.

Pro and Enterprise customers can create "Private Folders." These projects are not visible to other members of the team, which can be useful for drafts and personal projects. If you create a project in your private folder, others will not be able to see it by default.

How can I be sure that my designs are private?

In Workspace settings, Pro and Enterprise users can change the default setting for new projects. If you're handling sensitive data, we recommend making the default setting "Private" so that unauthorized users cannot access the assets. Team admins can toggle this setting for everyone in their workspace.

For an individual project in the Workspace, the project thumbnail will be marked with a privacy icon when private. From the Workspace, users can toggle between Private and Unlisted for a specific project.

Private projects are also marked as private on the final export page. The text "This video is unlisted" or "This video is private" appears below the video, once export completes. Similarly, the "Share" modal within the editor shows the privacy status.

Do Internal Kapwing Employees have access to my data?

Kapwing personnel access customer content only when necessary to provide support, investigate bugs, maintain service reliability, enforce our Terms, or comply with legal obligations. Access is limited by role-based permissions, restricted to authorized personnel, protected by 2FA, and subject to internal policies and logging.

What information security controls are in place?

Kapwing maintains security controls designed to protect customer data. These practices and policies include:

Security training as part of onboarding
Role-based permissions to ensure that employees have only as much access as is needed to do their job, on both first-party and third-party systems
Policies against credential sharing, external
2SV enforced for all internal employees
Strict onboarding and offboarding procedures
Required hardware locks
Restricted office space and physical security
Work provided and monitored laptops with anti-malware protections built into the OS
Audit logs on user activities and system security events produced and monitored

Do you sell data to third-party vendors?

No, we do not sell our user data as stated in our Privacy Policy.

Kapwing offers a Data Processing Addendum for applicable customers. Under the DPA, Kapwing acts as a Processor for Customer Personal Data where the customer is the Controller or Processor.

Please see our Privacy Policy for more information.

How do users authenticate on Kapwing?

By default, users create a Kapwing account using Google OAuth, Apple, Microsoft, Facebook, or clicking a unique link from their email to verify ownership.

Kapwing does not handle personal user login information like passwords or phone numbers. This makes sign-in seamless as users don't have to remember a new username or worry about losing their password. It is also more secure as we do not store passwords and require email verification for each login.

Does Kapwing offer Two Factor Authentication (2FA) or Multifactor Auth (MFA)?

Kapwing does not provide native MFA for email-link login on self-serve plans. Customers can enforce MFA through their identity provider when using Google OAuth or Enterprise SAML/SSO. SAML SSO is available on Kapwing Enterprise.

What data subprocessors does Kapwing use for it's service?

Kapwing conducts vendor security and privacy diligence before engaging subprocessors. Subprocessors are used to provide core infrastructure, AI workflows, customer support, analytics, payments, and communications. Where applicable, Kapwing enters into data protection terms with subprocessors and maintains a public list of subprocessors, their purpose, and processing location.

Please see this full list of data subprocessors for more information.

Some AI features send the minimum input necessary to the applicable AI subprocessor to perform the requested action. Requests are encrypted in transit, and Kapwing does not intentionally include unnecessary identifying information.

Does Kapwing use user data to train AI models?

No. Kapwing does not train AI models on customer content or customer personal data.

Do AI subprocessors train on customer data?

Kapwing’s AI features may send limited inputs needed to perform the requested action to AI subprocessors. Kapwing seeks contractual restrictions, where available, preventing subprocessors from using API-submitted customer data to train their models. For Enterprise customers with specific AI data restrictions, Kapwing can review applicable subprocessors during security review.

How does Kapwing handle security incidents?

Kapwing maintains logging and monitoring designed to detect security issues. If Kapwing becomes aware of a Personal Data Breach affecting Customer Personal Data under an applicable DPA, Kapwing will take steps to remediate the incident and notify the customer without undue delay.

How do admins manage account access?

In Workspace settings, Workspace admin can review, add, and remove members. They can also review, approve, and deny pending requests. To invite a new member, Workspace admins can input their email address or share an invitation URL with them.

When a member is removed, their seat is freed up and can be re-provisioned to a newly invited member.

Enterprise customers can contact their Account Manager to add and remove members from their Workspace.

Does Kapwing support 2-Factor Authentication?

Kapwing does not support two-factor authentication as part of our self-serve tiers (Free, Pro, Business). Google Workspace customers can leverage 2-factor authentication through the "Sign in with Google" integration. Enterprises interested in support for two-factor authentication, Microsoft Teams sign-in, or SAML/SSO can contact sales to learn more about custom support for enterprise customers. SAML login is included in Kapwing for Enterprise.

How long is the data retained? How is it securely disposed of when no longer needed?

Our data retention period varies depending on the type of data and the customer's plan. Kapwing retains customer data only for as long as necessary to provide services, comply with legal obligations, or as per our stated policies. Once data is no longer needed, we follow strict procedures for its secure disposal. This includes methods like data anonymization and secure deletion practices. We use industry-standard techniques to ensure that disposed data cannot be recovered or misused. For specific details about different types of data and retention periods, please refer to our Privacy Policy or contact us for more information.

Kapwing users can delete their account and any associated data at any time from their account.

Who Do I Contact with Questions About User Data?

Please contact us with any questions or requests regarding your data via our chatbot, which will escalate your concern as a ticket.

If I delete a video project, is it deleted from your database?

Yes. If a Kapwing user deletes a project, it will be deleted from our database, and we will not be able to recover it.

If a Kapwing user deletes an account, all of the videos and data associated with that account are deleted from our database. This action is heavyweight and cannot be reversed, even by our internal team.

Is Kapwing SOC 2 certified?

Kapwing does not currently publish a SOC 2 Type II report. Enterprise customers may request available security documentation under NDA.

Does Kapwing offer a Data Processing Addendum?

Yes. Kapwing offers a Data Processing Addendum for eligible Enterprise customers who need one for privacy, legal, or vendor review. To request a DPA, contact your Kapwing representative or email privacy@kapwing.com.

Does Kapwing provide additional security documentation?

Enterprise customers may request security documentation under NDA, including responses to security questionnaires, subprocessors information, DPA review, and relevant security materials.

Do you have a bug bounty program?

No, we do not currently have a bug bounty program. However, our Silicon Valley-based engineering team reports and tracks security issues in our internal project management system. We address and close pending security issues during our quarterly bug bash.

Who should security or legal teams contact?

Security, privacy, and legal teams can contact privacy@kapwing.com