Does Kintable provide a full audit log?

Yes. Every record creation, update, deletion, approval decision, form submission, and user login is captured in a tamper-evident audit log with a UTC timestamp, user identity, IP address, and before/after field values. Audit logs are exportable in CSV and JSON formats for compliance reviews.

Where is Kintable data hosted and can we choose a data residency region?

Kintable Cloud runs on secure managed cloud infrastructure in the United States by default. Enterprise customers with data residency requirements can discuss dedicated regional deployment options with the Kintable team during the sales process.

shield Enterprise Security

Built for IT teams
that don't compromise.

Q: How granular are Kintable's permission controls?

Kintable enforces permissions at the organization, workspace, base, view, row, and field level. Row-level security policies restrict which records each user can read or write. Field-level permissions hide or make read-only specific columns for specific roles. Export restrictions prevent unauthorized data downloads.

Kintable gives operations teams the speed of AI-generated workflows while giving IT the controls they require: SSO, granular permissions, immutable audit logs, IP restrictions, and encrypted data.

The short answer: your IT team can approve Kintable in a single security review — every standard enterprise control is already built in.

Request a security review View enterprise features →

AES-256

Encryption at rest

TLS 1.2+

Encryption in transit

100%

Actions logged

6-level

Permission model

SECURITY CONTROLS

Every control your IT team will ask for.

Kintable ships enterprise security controls out of the box — no professional services engagement required to enable them.

key

SAML SSO & SCIM Provisioning

Single sign-on + automated user lifecycle

Connect Kintable to your existing identity provider using SAML 2.0. Users authenticate through your IdP — Kintable never stores their password. SCIM 2.0 automates provisioning and deprovisioning: when an employee leaves, their access is revoked automatically.

check_circle Okta, Azure AD (Entra ID), Ping Identity
check_circle Google Workspace SAML
check_circle Custom SAML 2.0 providers
check_circle SCIM 2.0 automated user sync
check_circle Just-in-time (JIT) user provisioning

lock

Encryption at Rest & In Transit

Data protected everywhere it lives and moves

All customer data is encrypted at rest using AES-256. All data in transit between your browser, integrations, and Kintable's servers uses TLS 1.2 or higher. Encryption keys are managed per-tenant and rotated on a regular schedule.

check_circle AES-256 encryption at rest
check_circle TLS 1.2+ for all data in transit
check_circle Per-tenant encryption key management
check_circle Scheduled key rotation
check_circle Secure managed cloud infrastructure

history

Immutable Audit Logs

Every action logged, timestamped, exportable

Every record change, approval decision, form submission, user login, permission change, and integration event is captured in a tamper-evident audit log. Each entry includes a UTC timestamp, user identity, IP address, and before/after field values.

check_circle Record-level change history
check_circle Approval decision audit trail
check_circle User login and access events
check_circle Export in CSV and JSON formats
check_circle Point-in-time restore capability

admin_panel_settings

Field-Level & Row-Level Permissions

6-level permission model down to individual cells

Kintable enforces a six-level permission hierarchy: organization → workspace → base → view → row → field. Row-level security policies restrict which records users can see or modify based on their role. Field-level controls hide sensitive columns — like salary or SSN — from unauthorized roles entirely.

check_circle Organization, workspace, base, view levels
check_circle Row-level security policies
check_circle Field-level hide and read-only controls
check_circle Export restrictions per role
check_circle Role inheritance and custom roles

language

IP Allowlisting

Restrict access to approved networks

Enterprise plans allow you to restrict Kintable access to specific IP ranges — your office network, VPN egress addresses, or both. Access attempts from outside the allowlist are blocked at the authentication layer before any user data is accessible.

check_circle IPv4 and IPv6 CIDR range support
check_circle Blocks at the authentication layer
check_circle Compatible with corporate VPN egress
check_circle Admin alerts on blocked access attempts

public

Data Residency

Control where your data lives

Kintable Cloud runs on secure managed cloud infrastructure in the United States by default. Enterprise customers with strict data residency requirements — regional hosting, dedicated tenancy, or on-premises deployment — can discuss custom infrastructure options with the Kintable team.

check_circle US-hosted secure managed cloud (default)
check_circle Regional deployment options on request
check_circle Dedicated tenancy available
check_circle Custom implementation consultation

IT REVIEW CHECKLIST

What your IT team will check. And what Kintable answers.

We've been through enterprise security reviews. Here's how Kintable answers the standard IT questionnaire — before you even need to send one.

task_alt

Does it support our SSO? (Okta / Azure AD / Ping)

Yes — Kintable supports SAML 2.0 SSO with Okta, Microsoft Azure AD (Entra ID), Ping Identity, Google Workspace, and any custom SAML 2.0 provider. Setup is self-serve from the admin panel.

task_alt

Can we auto-deprovision users when they leave?

Yes — SCIM 2.0 integration with your identity provider handles provisioning and deprovisioning automatically. No manual offboarding steps required in Kintable.

task_alt

Is data encrypted at rest and in transit?

Yes — AES-256 at rest, TLS 1.2+ in transit. All encryption is on by default with no opt-in required. Encryption keys are managed per-tenant and rotated on schedule.

task_alt

Can we restrict access to our corporate network?

Yes — IP allowlisting on enterprise plans lets you restrict Kintable to approved IP ranges. Access from outside those ranges is blocked at the authentication layer.

task_alt

Is there a full audit trail for compliance?

Yes — every record change, approval, login, and permission change is logged with a UTC timestamp, user identity, IP address, and before/after values. Logs are exportable in CSV and JSON.

task_alt

Can we prevent users from exporting sensitive data?

Yes — field-level and view-level export restrictions prevent users from downloading data they're not authorized to access, even if they can see it on screen.

task_alt

Do you have a pen test or security documentation?

Security documentation including infrastructure architecture, penetration test results, and sub-processor list is available under NDA to enterprise prospects. Request access →

task_alt

What are the backup and recovery SLAs?

Kintable Cloud runs daily automated backups with point-in-time recovery. Uptime and recovery SLAs are documented in the enterprise agreement. Custom SLA terms are available for enterprise contracts.

SECURITY FAQ

Common security questions.

Does Kintable encrypt data at rest and in transit? expand_more

Yes. Kintable encrypts all customer data at rest using AES-256 and in transit using TLS 1.2 or higher. Encryption keys are managed per-tenant and rotated on a scheduled basis. Encryption is on by default for all plans — there is no opt-in required.

Which identity providers does Kintable support for SSO? expand_more

Kintable supports SAML 2.0 SSO with Okta, Microsoft Azure AD (Entra ID), Ping Identity, Google Workspace, and any custom SAML 2.0 identity provider. SCIM 2.0 is supported for automated user provisioning and deprovisioning. SSO and SCIM are available on enterprise plans.

How granular are Kintable's permission controls? expand_more

Kintable enforces permissions at six levels: organization, workspace, base, view, row, and field. Row-level security policies restrict which records each user can read or write based on their role. Field-level permissions hide or make read-only specific columns for specific roles. Export restrictions prevent unauthorized data downloads from any level.

Does Kintable support IP allowlisting? expand_more

Yes. Enterprise plans support IP allowlisting to restrict Kintable access to approved corporate IP ranges or VPN egress addresses. IPv4 and IPv6 CIDR ranges are supported. Access attempts from outside the allowlist are blocked at the authentication layer before any user data is accessible, and administrators receive alerts on blocked attempts.

Where is Kintable data hosted? expand_more

Kintable Cloud runs on secure managed cloud infrastructure in the United States by default. Enterprise customers with strict data residency requirements — regional hosting, dedicated tenancy, or custom infrastructure — can discuss options during the enterprise sales process. Contact us to start a security review.

Is security documentation available? expand_more

Yes. Security documentation including infrastructure architecture, sub-processor list, and penetration test results is available to enterprise prospects under NDA. Request security documentation →

Ready to run your security review?

Talk to the Kintable team. We'll walk your IT team through SSO setup, permissions architecture, audit log exports, and answer any remaining questions under NDA.

Book a security review View all enterprise features →

Security documentation available under NDA · Custom SLAs for enterprise contracts

Built for IT teamsthat don't compromise.

Every control your IT team will ask for.

SAML SSO & SCIM Provisioning

Encryption at Rest & In Transit

Immutable Audit Logs

Field-Level & Row-Level Permissions

IP Allowlisting

Data Residency

What your IT team will check. And what Kintable answers.

Common security questions.

Ready to run your security review?

Built for IT teams
that don't compromise.