Trust and Compliance at Kong

The world’s most trusted API gateway is just the start. All of Kong’s offerings are built from the ground up with enterprise-grade security, compliance, and privacy at their core. And Kong is dedicated to continually improving security processes and controls, protecting customer data, and upholding data usage transparency.

Product Offerings

Kong Konnect

Kong Konnect is an API lifecycle management platform designed from the ground up for the cloud native era and delivered as a service. This platform lets you build modern applications better, faster, and more securely. The control plane is hosted in the cloud by Kong, while you can choose to either host the data plane yourself in your preferred network environment or let Kong manage it for you in the cloud. Learn more here.

Kong Gateway Enterprise

Kong Gateway Enterprise is a fast, feature-advanced, and secure API management solution built on Kong Gateway, the world’s most adopted and performant API gateway. An API gateway is a reverse proxy that lets you manage, configure, and route requests to your APIs.

Kong Mesh

Kong Mesh is an enterprise service mesh that runs on both Kubernetes and virtual machines (VMs) on any cloud and multi-cluster. Built on top of CNCF’s Kuma and Envoy, Kong Mesh enables microservices transformation.

Kong Insomnia

Kong Insomnia is a collaborative API client and design tool for quickly building and testing APIs. The open source product is offered for free or with a limited SaaS service for a monthly per-user fee. It’s also offered to enterprise customers.

Compliance and Security

Kong’s products offer enterprise-grade security and are designed to support enterprise customers’ security, compliance, and privacy needs. Kong undergoes independent verification of platform security and compliance controls. 


This regularly refreshed report focuses on non-financial reporting controls as they relate to security, availability, and confidentiality.

CSA - Star Level 1

Kong has completed a Consensus Assessment Initiative Questionnaire (CAIQ) self-assessment.

NIST 800-218

The National Institute of Standards and Technology (NIST) 800-218 is a standard for secure software development. Kong has completed a NIST 800-218 self-assessment.

Penetration Testing

Kong engages a security company to perform security, vulnerability, and penetration testing for all products at least annually.

Business Continuity and Disaster Recovery

This policy sets out steps and responsible personnel to help ensure business continuity and recovery in the event of a disaster.


Kong Gateway Enterprise has attained Level 3 (hardened build) under the Supply Chain Levels for Software Artifacts (SLSA) Version 1.0 framework.


Kong Gateway Enterprise is available with a cryptographic algorithm validated through the NIST Cryptographic Algorithm Validation Program (CAVP).

PCI DSS v4.0 Report on Compliance

Kong has received a Report on Compliance (RoC) by a PCI Qualified Security Assessor for Kong’s Attestation of Compliance – Merchant for Kong Konnect

Please contact your Kong sales representative for more information regarding these security and compliance controls.

Explore Company Policies and Resources

Explore company policies and resources to see how Kong’s products and people meet customers’ high expectations. 

Kong Code of Conduct

The Kong Kode describes the regulations, laws, and policies Kong implements concerning the legal and ethical behavior required of employees.

Learn More

Vulnerability Disclosure Program Summary

Kong offers a Vulnerability Disclosure Program — also known as a bug bounty program — for reports of unique confirmed vulnerabilities.

Report a Vulnerability

Kong Technical & Organizational Security Measures

See the features, processes, and controls applicable to Kong products, including configurable options available to the customer, that employ industry-standard information security best practices.

Learn More

Environmental, Social, and Governance Statement

Kong is committed to developing its ESG program to build a sustainable and efficient business. Kong is working to mitigate its environmental impact and build an equitable, socially responsible company.

Learn More

Kong has completed an ESG Evaluation and Benchmarking Exercise with EcoVadis, which will be repeated again in 2024.

Data Privacy

Kong is committed to being transparent about the company’s handling of data. See below for an overview of the collection and use of personal and customer data in connection with Kong’s products and services.


The General Data Protection Regulation regulates the use and protection of personal data protection in the European Economic Area (EEA), but it affects the way business is done globally. Compliance with GDPR is a top priority for Kong and its customers, and Kong can be a key enabler in customers’ compliance efforts.


The California Privacy Rights Act creates consumer rights relating to the access to, deletion of, and sharing of personal information collected by businesses. Kong is committed to supporting customers with CPRA compliance and can be a key enabler in this journey.

Kong Privacy Policy

Kong’s Privacy Policy describes the policies and procedures regarding the collection, processing and disclosure of information about you, and what rights you have while we hold that information.

Kong Data Processing Activities Summary

Kong’s Data Processing Activities Summary  sets out an overview of the collection and use of personal data and customer data in connection with Kong’s products and services.

Additional Resources

Discover other resources around Kong’s policies and processes in place to protect the
its offerings, and its customers.