kommit

Trust Center

[7 principles]

$ kommit trust --verify

Trust Center

How we protect your data, respect your privacy, and maintain the security standards your team expects. No marketing fluff — just the facts.

CCPA

CCPA

Compliant

GDPR

GDPR

Compliant

ISO 27001

ISO 27001

In progress

[01]VERIFIED

Your data stays yours

Your specs, PRDs, and project data are yours. We never use customer data to train AI models. Your intellectual property remains your intellectual property.

No training on customer data — ever
Data export coming soon (on our roadmap)
Account deletion available from dashboard settings
Database-level isolation between organizations via RLS
[02]VERIFIED

Encrypted everywhere

All data is encrypted in transit (TLS) and at rest (AES-256-GCM). Sensitive values like environment variables are encrypted with HKDF-derived keys before storage.

TLS encryption for all connections
AES-256-GCM encryption for sensitive data at rest
Secrets stored in platform environment variables (Vercel)
Database connections encrypted with SSL required
[03]VERIFIED

Access controls

Role-based access control at the organization level. Comprehensive audit logs for all administrative actions. Session management with secure, scoped cookies.

Organization admin and member roles
Audit trail for all admin actions (12+ event types)
Secure session management (HttpOnly, SameSite cookies)
GitHub OAuth integration for authentication
[04]VERIFIED

Infrastructure security

Enterprise-grade hosting with a global edge network. Row-level security enforced at the database layer to isolate tenant data.

Global edge network with CDN distribution
Row-level security (RLS) on all tenant tables
Dedicated database roles with strict access controls
Automated platform-level patching and updates
[05]VERIFIED

AI provider transparency

We use Anthropic's Claude API for AI conversations and OpenAI for embeddings. Per both providers' standard API terms, your data is not used for model training.

Anthropic Claude — standard API (no training on API data per their policy)
OpenAI embeddings — standard API (no training on API data per their policy)
No customer data used for model training by any provider
We are working toward explicit zero-retention API configurations
[06]VERIFIED

Compliance & standards

We are building toward the highest compliance standards. CCPA and GDPR compliant today, with ISO 27001 certification planned.

CCPA compliant — California consumer privacy rights
GDPR compliant — EU data protection regulation
ISO 27001 — in progress
Third-party security assessments — planned for 2026
[07]VERIFIED

Transparent subprocessors

We maintain a public list of every third-party service that processes your data on our behalf. No hidden vendors.

9 subprocessors, all with DPAs in place
30-day advance notice before adding new subprocessors
EU-hosted analytics (PostHog Frankfurt)
AI observability hosted in EU (Langfuse Germany)
View full subprocessor list →
?

Frequently Asked

[6]

Where is my data stored?

Your data is stored on enterprise-grade infrastructure with data centers in the US and EU. All data is encrypted in transit and at rest. For a full list of our service providers, see our Subprocessors page.

Do you use my data to train AI models?

No. We never use customer data to train AI models. When we send your data to AI providers (Anthropic, OpenAI), their standard API terms prohibit using API data for model training.

Can I export all my data?

Data export is on our roadmap and coming soon. In the meantime, PRDs can be exported as Markdown, PDF, or JSON from the canvas. Contact us if you need a full data export.

What happens when I delete my account?

You can delete your account from your dashboard settings. Account deletion removes your user data. Organization data is retained if other members exist, otherwise it is also removed.

Do you have a DPA (Data Processing Agreement)?

We are working on a standard DPA for enterprise customers. Contact us at privacy@getkommit.ai to discuss your requirements.

How do you handle security incidents?

We are building out our formal incident response plan. Our commitment is to notify affected customers promptly in the event of a confirmed breach, in accordance with GDPR requirements (72 hours).

// QUESTIONS?

Need more details?

Reach out to our security team for DPAs, penetration test reports, or any security-related questions.

Privacy Policy