SOC 2 · ISO 27001 · GDPR · HIPAA decks built in

Security training your auditor actually accepts.

Launch a SOC 2, ISO 27001, GDPR or HIPAA awareness program in minutes. No seats for the people you're training. Every completion becomes tamper-evident evidence that exports straight into Vanta.

EU-hosted Verbatim 7-column Vanta export Participant portal in 5 languages No seats for participants
Auditors ask for this by name

Every framework you're chasing already requires training.

SOC 2

Security awareness training

Required for every SOC 2 report — evidenced per person, refreshed annually.

ISO 27001 · Clause 7.3

ISMS awareness

Documented awareness training for everyone under your ISMS — with records to prove it.

GDPR · Art. 39

Staff data-protection training

Staff handling personal data must be trained, and your DPO must monitor it.

HIPAA · §164.308(a)(5)

Workforce security awareness

A security awareness and training program for your entire workforce. Not optional.

How it works

Live in three steps.

1

Pick a deck

SOC 2, ISO 27001, GDPR or HIPAA. Fill in {{ company_name }}, your DPO, your policy links — one template becomes your program.

2

Invite everyone

Paste a roster. Staff and contractors get a magic link or Google sign-in — no accounts, no seats, your branding.

3

Export the evidence

The completion register fills in as people finish. Download the CSV, bulk-upload it to Vanta, done.

Everything an awareness program needs. Nothing it doesn't.

Framework decks built in

SOC 2, ISO 27001, GDPR and HIPAA — written, structured, ready to send.

Portal in five languages

Participants get the portal, emails and sign-off flow in English, German, French, Spanish or Polish.

No seats for participants

Magic link or Google sign-in on a portal branded as your company. Contractors included.

Provably watched video

Video slides gate on watch percentage. Skipping to the end doesn't count.

Attestation before completion

Nobody completes without signing first — and the order is enforced, not assumed.

Annual recertification

When a completion turns a year old, Kit re-enrolls and re-invites automatically, with a grace period.

PDF certificates

Per person, branded, stamped with the exact deck version they took.

Compliance command center

One dashboard of who's due, overdue and done — worst first.

Audit evidence, not just a course

The exact register Vanta expects, column for column.

Kit keeps a completion register with the seven columns Vanta's bulk upload expects — Employee Name, Employee ID, Department, Role, Training Module(s), Completion Date, Status — and exports it verbatim as CSV or a branded PDF. Every row is a frozen snapshot: the attestation was signed before the completion, the deck version was stamped at that moment, and rows can never be edited or deleted. When an auditor asks you to prove someone did GDPR training in March, you hand over a record, not a screenshot.

  • The seven Vanta columns, verbatim
  • Append-only completion records
  • Deck version stamped on every row
AI-native

Tell an agent to build the program.

11 training tools over MCP

Connect Claude, ChatGPT or Gemini. The agent can create a program, seed a deck, write the quiz, invite a roster and pull completion status.

Claude ChatGPT Gemini

What you can ask

"Seed a GDPR program with our company name and DPO filled in."
"Write a five-question quiz for the phishing section."
"Invite everyone on this roster."
"Who hasn't finished yet?"

Included with Kit. No per-learner fees.

Awareness platforms bill per seat, per year. Training is part of Kit — unlimited staff and contractors, because the decks, the portal and the evidence pipeline are already built.

Evidence-grade, like the rest of Kit.

Completion records are append-only, participant details are encrypted at rest, and everything runs on EU-hosted infrastructure — the same discipline as the rest of Kit.

Read our trust page

Questions

We already run training in our HR tool. Why move it?

Because the output here is evidence, not a checkbox. Kit's register matches Vanta's bulk-upload columns exactly, and behind every completion is an append-only record with a signed attestation.

Do contractors need accounts?

No. Participants aren't users and don't take a seat. They get a magic link or sign in with Google, on a portal branded as your company.

Which frameworks are covered?

SOC 2, ISO 27001, GDPR and HIPAA decks are built in. Each uses variables — company name, DPO contact, policy links — so one template becomes your program.

How does the Vanta export work?

The register uses the seven column headers Vanta's bulk upload expects, in the same order and wording. Export the CSV, upload it, done. There's a branded PDF for auditors who want paper.

What about annual re-training?

Mark a program annual and Kit re-enrolls each person when their completion turns a year old, with a grace period before anyone lapses.

Can I prove someone actually watched the training?

Yes. Video slides only count once the watch threshold is met — skipping ahead doesn't. Completion also requires a passed knowledge check and a signed attestation, in that order, all on the record.

Where is the data hosted?

On EU infrastructure. Participant details in the evidence trail are encrypted at rest.

Can an AI assistant set this up for me?

Yes. Kit exposes 11 training tools over MCP. From Claude, ChatGPT or Gemini you can create programs, seed decks, write quizzes, invite people and check who's finished.

Turn training into evidence.

Pick a deck, invite the team, export the register. Start free — no credit card required.