Security & Privacy

Your data lives in the EU

Kit is hosted on Hetzner Cloud in Nuremberg, Germany. Your hiring data is encrypted at rest and in transit, protected by continuous security scanning, and stored within the European Union.

EU-Hosted (Germany)
Encrypted at Rest & In Transit Cloudflare Protected CI Security Scanning

Privacy & GDPR

Data Residency

All core data is stored in the European Union (Hetzner Cloud, Nuremberg, Germany). No routine transfers of personal data to the United States for infrastructure purposes.

GDPR Compliance

Kit is designed to support your GDPR compliance obligations. We provide a comprehensive Data Processing Agreement, support data subject rights, and offer built-in tools for data export, anonymisation, and consent management.

Data Processing Agreement

Our DPA covers all GDPR Article 28 mandatory clauses, including sub-processor management, breach notification, audit rights, and international transfer safeguards.

View our DPA

Consent Management

Built-in consent management for candidate data with configurable retention periods, automated expiry, renewal workflows, and audit trail.

Compliance

GDPR

  • Data Processing Agreement available
  • Data subject rights supported (access, rectification, erasure, restriction, portability, objection)
  • Data export and anonymisation tools
  • Consent management with audit trail
  • EU-resident infrastructure
  • Also covers UK GDPR and Swiss FADP

ePrivacy

  • Cookie consent with opt-in for analytics
  • Essential cookies only by default
  • Microsoft Clarity restricted to marketing pages
  • One-click email unsubscribe (RFC 8058)

CCPA

  • No sale or sharing of personal information
  • Data deletion on request
  • Right to know what data is collected
  • Non-discrimination for privacy rights

Infrastructure

Hosting

All infrastructure runs on Hetzner Cloud in Nuremberg, Germany (datacenter nbg1-dc3, network zone eu-central). No US sub-processors for core infrastructure. Your core application data is stored in the EU.

Data Residency

Your database runs on a private network with no public internet exposure. All database traffic stays on local interfaces. Backups are encrypted and stored within the EU.

Email Infrastructure

Self-hosted mail server in the EU. Candidate emails and notifications never touch third-party US email infrastructure. Full control over email delivery and data residency.

Edge Security

Cloudflare provides DDoS protection, web application firewall (WAF), and TLS termination. EU processing is available for Cloudflare services.

Encryption

In Transit

All connections are encrypted using TLS 1.2 or higher. HSTS is enforced. API endpoints require HTTPS.

At Rest

Sensitive personal data fields are encrypted at the application level (deterministic and non-deterministic encryption as appropriate). Storage volumes are encrypted. Backups are encrypted.

Payment Data

All payment processing is handled by Stripe. Kit never stores, processes, or has access to full credit card numbers. Stripe is PCI DSS Level 1 certified.

Application Security

Automated Security Scanning

Every deploy is gated on passing Brakeman (static analysis for Rails vulnerabilities), bundler-audit (Ruby gem CVE checking), and importmap audit (JavaScript dependency checking). No code ships without passing these checks.

Framework Protections

Built on Ruby on Rails 8, which provides built-in protection against CSRF, XSS, SQL injection, and other OWASP Top 10 vulnerabilities. Content Security Policy headers are enforced.

Code Review

All changes go through pull request review before merging. Automated linting (RuboCop, ERB Lint) enforces code quality standards.

Dependency Management

Automated alerts for vulnerable dependencies. Regular updates to framework and library versions. Continuous monitoring for security advisories.

Access Control

Authentication

User passwords are securely hashed. Optional two-factor authentication is available. Session management with secure, HTTP-only cookies.

Team Permissions

Role-based access control (owner, admin, member) per account. Granular permissions for hiring pipeline stages. Audit trail for sensitive actions.

API Security

JWT-based API tokens with scoped permissions. Rate limiting on all API endpoints. Token rotation supported.

Internal Access

Small engineering team (2-3 people). No shared credentials. Principle of least privilege for all system access.

Sub-processors

We use the following service providers. Full details including transfer mechanisms are in our DPA (Annex 3):

Provider Purpose Location
Hetzner Online GmbH Infrastructure, compute, storage Nuremberg, Germany
Cloudflare, Inc. CDN, DNS, DDoS protection Global (DPF + SCCs)
Stripe, Inc. Payment processing United States (DPF + SCCs)
Functional Software, Inc. (Sentry) Error monitoring United States (DPF + SCCs)
View full sub-processor list in our DPA

Vulnerability Disclosure

Kit operates a Vulnerability Disclosure Program with a dedicated submission form, structured triage, and a published security policy. We aim to acknowledge reports within 48 hours.

Submit a vulnerability report View our security policy

Our security.txt is published at security.startupkit.app/.well-known/security.txt

Uptime & Status

We publish real-time status information including uptime history and incident reports.

View status page

Questions?

For security inquiries, contact us at:

[email protected]

Last updated: March 31, 2026