Security is architecture, not patchwork. Every kinplug plugin was designed from the start for production use in Japanese financial, insurance, and healthcare groups.
All services run on Google Cloud Platform's Tokyo region (asia-northeast1). Data stays in Japan by default. Cloud Run, Secret Manager, and IAM are configured with strict least-privilege principles.
OAuth tokens are stored AES-256 encrypted in a Kintone app (App 1434), scoped per subdomain. Subdomain scoping means a connection made on edamame.kintone.com cannot be read from orix-metro.kintone.com — cross-tenant isolation is enforced at the data layer.
All traffic is TLS 1.2+. API authentication is handled by Clerk (Google, Microsoft, email OAuth). API rate limiting, CORS restrictions, and CSP headers are applied.
Enterprise plans include a proxy configuration for whitelist-restricted environments, or an on-premise deployment option. Contact us to discuss your specific constraints.
Plugin artifacts (ZIP + PPK signing keys) are double-backed up in Kintone App 1415 and triple-backed up in a private GitHub repository. OAuth connection data lives in your Kintone and follows your existing Kintone backup policy.
We notify customers of security incidents within 24 hours. Vulnerability reports: security@kinplug.com. We acknowledge responsible disclosure and consider bounties where appropriate.
Enterprise plans include: DPA (Data Processing Agreement) execution, security questionnaire completion, SOC2-style written responses, and company/security documentation for procurement approval packs. Formal SOC2 certification is targeted for H2 2026.
If we ever cease operations, we commit in contract to open-source the Kinplug Mail API server and actively support every customer's self-hosted migration. Plugins other than Kinplug Mail are fully self-contained inside your Kintone — they do not depend on our infrastructure.
Sign in with Google or Microsoft, enter your Kintone subdomain, install the plugin. Live in 90 seconds.