Don't let security and compliance roadblock your application development process.

Airkit Security

Airkit’s low code platform simplifies security and compliance so you can ship in days, not months. Our comprehensive out‑of‑the-box security and compliance framework is continuously updated with security, compliance and privacy certifications.


All the enterprise-grade certifications you need

PCI DSS Compliance
GDPR Ready
HIPAA Compliance

Key security features

Data encryption
Data is encrypted at rest and in-flight, including data passed between Airkit and third party applications via API calls.
Data security
Tag data as being sensitive and log data usage/access.
Customer applications and data are hosted in separate secure logical instances per organization with SAML 2.0 single sign-on.
Data protection
Intraday and daily snapshots of application and customer data stored in authentication protected, encrypted storage.
Continuously updated security, compliance and privacy certifications
(HIPAA, PCI, PII, SOC2, TCPA, GDPR) not available with custom development alternatives.
Integrated services
Securely authorize other SaaS services with OAuth2. Airkit does not store your username or password for those services.
Organization controls
Role-based access controls for platform management, application management and data management.
Data governance
Maintain ownership of your data with full portability. You can choose not to store data on Airkit’s platform.
Rigorous testing
Airkit contracts with industry-leading third party vendors to do regular penetration testing on the platform.

A commitment to reliability

We believe in complete transparency concerning our service availability and uptime. View our track record on our status page.


A commitment to security

Airkit works with security researchers and encourages responsible disclosure through an ISO 29147 bug bounty program, coordinated by HackerOne.



Is Airkit’s data center secure?

Our online infrastructure is built on Amazon Web Services, and Airkit maintains a SOC2, PCI, HIPAA and other controls that cover the service’s security, confidentiality, availability, and integrity.

More information is available here:

Does Airkit monitor it’s performance?

We collect logs of system events throughout our infrastructure including cloud-level, application level, and data-store level audit trails. Logs are stored in an immutable storage system that prevents accidental or malicious deletion. Administrators have configured alerts for key system activity that may indicate a compromise or misconfiguration.

Is the Airkit application itself secure?

Our development team utilizes best practices in code development, testing, and deployment. As part of that process we leverage frameworks that provide protections against common web vulnerabilities (e.g. OWASP Top 10). Libraries and dependency code are scanned for known vulnerabilities and tickets automatically opened for engineers to review and upgrade packages.

Does Airkit decommission hardware that stores my information?

The secure decomissioning of hardware used to manage and store customer data is managed by our cloud provider which leverages a combination of mark-and-sweep deletion cycles, cryptographic erasure, and physical device destruction in compliance with NIST SP 800-88 Revision 1.

Do Airkit employees sign confidentiality agreements?

All employees and contractors are required to sign confidentiality agreements.

Are Airkit employee hardware devices secure?

Our employee computers and company mobile devices are required to meet a set of security requirements including full disk encryption, vulnerability updates, company-approved password manager, and login restrictions.

How does Airkit maintain password security?

User passwords must meet minimum length requirements. Brute force password protections are implemented using account throttling – where repeated attempts to log in to an account result in a progressive delay between login attempts. Passwords are stored in encrypted form using salted hashes.

Who has administrative access to our database?

Administrative access to production databases is restricted to a subset of our engineering team. All-access uses unique accounts and administrator activity is logged to our centralized logging system.

Does Airkit encrypt data in transit and at rest?

Yes to both.

We utilize TLS 1.2 encryption on communication to our website and APIs, automatic HTTP to HTTPs redirection, and HTTP Strict Transport Security to prevent downgrade attacks. Our default encryption algorithms utilize Perfect Forward Secrecy (PFS) and Authenticated Encryption with Associated Data (AEAD).

All customer data is encrypted at rest using AES256 encryption. Encryption keys are stored in high-security hardware security modules and periodically rotated.

Does Airkit back up my data?

Customer data is backed up daily using automated snapshots which are stored in authentication-protected storage using pre-defined retention times. System administrators are notified of failed or delayed backups.

Does Airkit conduct regular penetration tests?

Our services are tested periodically by professional penetration testing teams. During the assessment, the team seeks to identify vulnerabilities and weaknesses that could enable attackers to compromise our systems. Identified issues are prioritized and remediated by our technical team.

Does Airkit have a company-wide security policy?

We maintain a company-wide security policy that covers the security requirements for systems throughout our infrastructure including:
* System Inventory
* Data Classification
* System lockdown procedures
* Encryption
* Data Access
* Incident Response
* Backups and Restoration

Is security a priority during employee on and offboarding?

All employees are on-boarded using a standard process to ensure they receive training and access appropriate to perform their job role. Our off-boarding process is designed to efficiently remove access and accounts when employees leave the company or transition job roles.

How will Airkit authenticate users to our portal?

Customers can authenticate to our service using 2FA. Inside our application, customers can configure roles that further restrict what actions their users can take on their data.

How is cloud access handled?

Cloud access is protected using 2FA for administrative accounts and encrypted VPN access for access to internal systems. All administrative access to cloud systems is logged.

Where is Airkit code stored?

Code is stored in a centralized code repository that requires 2FA for authentication. User groups are configured to provide only the access necessary for employees to do their assigned job. Code updates undergo mandatory code review and approval before being released into production.

Ready to see for yourself? Start building today.