At Klaviyo, we are committed to being trustworthy stewards of customer data as we power smarter digital relationships and empower creators to own their destiny.
Security and privacy are foundational to how we continuously innovate and improve our platform, tailoring it to meet the evolving needs of our customers.
Klaviyo undergoes annual third-party audits to ensure our internal controls are designed and operating effectively in accordance with industry standards, such as SOC 2 and ISO 27001. Our third-party audit reports can be downloaded directly from our self-service Trust Center.
As a data processor, Klaviyo offers tools and functionality that enable our customers to meet their key data privacy compliance requirements for GDPR, CCPA, and beyond. These tools encompass profile consent management and rights request tooling to satisfy both access and deletion requests.
Additionally, as a controller of Klaviyo account user data, we also enable our data subjects to submit privacy rights requests and make privacy inquiries. For more information about our data privacy practices and commitments, including our Privacy Notice, Data Processing Agreement, and other policies, please visit our Legal Hub.
We use mobile device management and anti-malware software to prevent, detect, and respond to endpoint device threats. Secure-by-default configurations, such as disk encryption, software updates, and removable media restrictions, proactively protect data stored on our endpoint devices.
Klaviyo utilizes a modern single sign-on (SSO) platform to control access to Klaviyo’s internal systems and applications. This allows us to efficiently protect against identity-based threats by centrally enforcing access and authentication security policies. Data access rights for employees undergo regular reviews to ensure that only the minimum necessary privileges are granted.
Klaviyo’s security culture and training program is designed to equip employees with the knowledge and skills necessary to uphold their security responsibilities and recognize and address potential security risks. This is achieved through new hire and annual training, phishing awareness campaigns, and our “Risky Business” newsletter for informing employees about pertinent security and privacy topics.
Klaviyo has implemented a risk management program to proactively identify, assess, and manage risk to an acceptable level. This includes risk domains such as information security, third-party security, and other enterprise security domains. We regularly conduct risk assessments and partner with cross-functional stakeholders to provide guidance in devising risk treatment plans and to ensure risk treatment is being prioritized accordingly.
Klaviyo makes it easy to protect your account by providing intuitive security features and tools. Account owners and administrators can implement multi-factor authentication (MFA), single sign-on (SSO), and just-in-time (JIT) provisioning for increased account security. Moreover, we simplify user administration with role-based permissions and controls.
Klaviyo simplifies securing API access to account data and features by providing both API key and OAuth authentication mechanisms. This also allows customers to more easily and securely integrate with partners’ applications to extend the functionality of their Klaviyo use cases.
Whether using API keys or OAuth credentials, customers can implement least-privilege access to their Klaviyo account by using feature-specific permission scopes.
Finding and fixing exploitable vulnerabilities in our platform before bad actors do is foundational to protecting our customers’ data. Klaviyo works with an industry-leading third-party penetration testing provider on an annual basis and runs a bug bounty program with external security researchers. Our internal Offensive Security team also performs targeted penetration testing on an ongoing basis.
