trust centre

Trusted by global supply chains

At Kinaxis, trust is foundational. We know our customers rely on us to protect their data, meet regulatory obligations, and operate their supply chains with integrity. This Trust Centre brings together key information about our security, privacy, legal, and responsible technology practices.

Kinaxis Trust Centre

Documentation requests 
We’re happy to share documentation to support your due diligence and build trust in our program. Current customers can follow the links for each of the documents listed below. Prospective customers can request an NDA in order to access the documents..

 

Certifications
Certifications
Certification and Memberships
Security
Security
Security
Privacy
Privacy
Privacy
Legal
Legal
Legal

Certifications and Memberships

Kinaxis maintains globally recognized certifications and attestations that demonstrate our commitment to keeping your data secure and our operations reliable. Reports and certificates relating to these items are available upon request and under NDA.

Image
AICPA-SOC2

Kinaxis Maestro® undergoes independent third party SOC1 Type II and SOC2 Type II attestation audits.

Image
BSI C5

Maestro has achieved C5 compliance, a cloud security-specific framework developed by the German Federal Office for Information Security (BSI) to meet the expectations of customers in Europe.

Image
ISO DNV

Kinaxis is certified under ISO 27001:2022, the international standard for information security management systems (ISMS), reflecting our commitment to maintaining strong, risk-based security controls across our operations.

Image
Trusted cloud provider

Kinaxis is a Cloud Security Alliance Trusted Cloud Provider and maintains STAR Registry level 1. A Consensus Assessment Initiative Questionnaire (CAIQ) is publicly available here.

Security

At Kinaxis, we recognize that the security of your supply chain data is paramount. Our commitment extends beyond our platform; we implement comprehensive security measures to protect your information across all facets of our operations.

Key Highlights 

  • SOC1 Type II audited (Maestro)
  • SOC2 Type II audited (Maestro)
  • BSI-C5:2020 Type II audited (Maestro)
  • ISO 27001:2022 certified
  • CSA Trusted Cloud Provider and STAR Registry Level 1
  • Single tenant SaaS model
  • TLS 1.2+ and AES 256-bit “in-transit” and “at-rest” encryptions
  • RBAC and permissions
  • Advanced SOC monitoring 24x7x365
Hosting

Maestro is a cloud-based SaaS offering delivered from both private and public cloud infrastructures across regions, including North America, Europe and Asia. Under the private cloud model, we co-locate our infrastructures in enterprise-grade third party data center facilities, primarily with Equinix, and currently have arrangements with Google Cloud Platform and Microsoft Azure for the public cloud model. Depending on the engagement model, our hosting providers may support physical infrastructure, system setup, and environment management.

Physical security

At Kinaxis offices, physical access is restricted to authorized individuals based on job responsibilities and operational needs. Access is granted following the principles of “least-privilege” and “need-to-know”, and in alignment with our internal digital security program (DSP). 

When an employee leaves the company, whether through resignation or termination, physical access is promptly revoked. All physical access tools, such as key cards or badges, are deactivated or collected as part of our offboarding process. 

At our data center facilities, the providers are responsible for maintaining strict physical security and environmental controls and have been audited and/or certified based on ISO 27001, SOC 1 & SOC 2 Type II. Data center facilities are monitored by video surveillance and staffed security teams 24/7/365, with access to individual cages controlled by multi-factor authentication methods such as proximity cards, PINs, and biometric scans.

Product security

Identity and access management 

Kinaxis’ customer access module supports single-sign-on (SSO). In cases where SSO is not leveraged by the customer, access may be granted using valid combinations of user IDs and passwords, in line with the password policy in effect at the customer. 

All user activity within the platform is logged and tied to individual user IDs to ensure traceability. Security logs are retained for a minimum of 12 months. 

Privileged accounts are regularly reviewed, monitored, and deactivated if no longer required. Access for departing Kinaxis employees is removed from systems and applications within one business day. 

Customer access to Kinaxis systems is secured through encrypted channels. Customers are responsible for managing and controlling access for their own users within Maestro. 

Encryption and data protection 

Kinaxis uses strong encryption to help protect customer data both in transit and at rest. 

Data at rest – Customer data is encrypted at the storage layer using at least AES-256 and XTS encryption mode. Backups are also encrypted during the backup process.

Data in transit – Data sent and retrieved by customers over unsecured channels (the Internet) is protected using HTTPS in combination with Transport Layer Security (TLS 1.2+). This supports AES 256-bit encryption algorithms when used with compatible browsers and configurations. Bulk data transfers to Kinaxis environments are secured in the same way. 

Endpoint protection – All Kinaxis devices used to access customer environments have encrypted hard drives. 

Vulnerability management 

Intrusion detection and prevention – Kinaxis uses inline intrusion detection and prevention systems (IDS/IPS) to monitor network traffic for suspicious patterns and known threat signatures. These systems scan all packets in real time and block or reject traffic that appears malicious. IDS/IPS signatures are updated regularly to help ensure protection against emerging threats, including zero-day exploits. Logs are continuously monitored, and appropriate actions are taken when suspicious activity is detected. 

Virus protection – Kinaxis uses on-access antivirus/malware detection, centrally managed. Virus definition files are automatically distributed and enforced. Systems with outdated definitions or identified threats are flagged and addressed through regular log reviews and automated remediation processes. 

Vulnerability program management – Kinaxis follows an enterprise-wide vulnerability and patch management policy to help protect the confidentiality, integrity, and availability of our services. We use a risk-based approach to assess and prioritize remediation of identified vulnerabilities. Regular vulnerability scans are performed across systems and hosted applications. Ad hoc scans are also conducted in response to newly identified or reported threats that may affect our systems. 

Logging and monitoring 

Kinaxis regularly reviews logs from key components that support the Maestro platform, including firewalls, FTP servers, gateway servers, load balancers, and domain controllers. 

In addition, all network devices, server infrastructure, services, application performance counters, and most application processes are continuously monitored using dedicated monitoring tools. High-priority incidents trigger real-time alerts that are escalated to the appropriate teams, with coverage in place 24/7/365. 

Secure development lifecycle 

Kinaxis integrates security throughout our Agile-based software development lifecycle (SDLC), combining secure coding practices, threat modeling, and structured change management. We incorporate the Microsoft Security Development Lifecycle into our SDLC to help ensure security is considered from design through deployment. Kinaxis R&D teams regularly conduct peer code reviews and follow established change management processes for all system updates. 

We also use the Microsoft Threat Modeling Tool, applying the STRIDE framework (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to assess and address potential risks during design. 

Security training is delivered through internally-led sessions and materials from recognized third party providers, helping development teams stay current on secure coding principles. 

Third party security assessments (penetration testing) 

Kinaxis conducts regular security assessments through a comprehensive testing program. Each service update (SU) is internally tested by the Kinaxis product security team and included in quarterly “red team” exercises. In addition, our products undergo annual security testing by an independent third party. Test reports are made available to customers through our online portal and to prospective customers under NDA.

Change management 

Kinaxis follows a formal change management process to ensure changes are properly assessed, approved, and implemented with minimal risk to operations. All changes are documented in a change record and include an evaluation of risk, including potential security impacts. Proposed changes must be reviewed and approved before moving forward. Changes to infrastructure and software are developed and tested in a separate test environment before implementation. Relevant stakeholders are informed as part of the change process to support coordination and transparency. 

Incident management 

Kinaxis maintains a formal Security Incident Response Plan (SIRP) to guide the detection, escalation, and resolution of security incidents. Incidents may be reported from a variety of sources, including employees, contractors, customers, our Security Operations Center (SOC), business partners, and hosting providers. In addition, third party Security Information and Event Management (SIEM) tools are in place to enable continuous log review and real-time threat detection. 

Business continuity and disaster recovery 

Kinaxis uses a combination of backup and data replication technologies to support the recoverability of customer data and meet defined recovery objectives. The disaster recovery plan is reviewed and tested at least once per year. A summary of the test results is available to customers through the Kinaxis Knowledge Network. 

Data retention and deletion 

Kinaxis customers retain full ownership and control over their data. Unless otherwise requested, customer data remains in the Maestro environment for the duration of the subscription term. After the term ends, data is permanently deleted thirty days after expiration of the subscription term, using NIST-approved data deletion methods. 

Employee security and privacy practices 

All Kinaxis employees undergo pre-employment background checks and sign confidentiality agreements as a condition of hire. Security and privacy training is required during onboarding and reinforced through monthly learning activities. In addition, employees review and acknowledge key corporate governance, security and privacy policies on an annual basis.

Third party management

Kinaxis conducts security risk assessments of its vendors – particularly those who process customer data or support the delivery of Maestro – to help ensure they meet our security and risk management requirements. 

These vendors are also re-evaluated on a regular basis to confirm continued alignment with Kinaxis’ security requirements.

Responsible security vulnerability disclosure program

Kinaxis appreciates the investigative work into security vulnerabilities that is carried out by well-intentioned, ethical security researchers. We are committed to working collaboratively with security researchers in resolving security issues in our products and services. 

Please read this information carefully and ensure you are able to comply with all guidelines outlined below. By submitting a report, you acknowledge that you understand and agree to follow these expectations. 

Reporting a vulnerability 

If you discover a potential security vulnerability in a Kinaxis product or system, please report it to us at security@kinaxis.com. To help protect sensitive information, we recommend encrypting your report using our PGP key. Your report should include the specific location of the vulnerability (such as a URL or system component), a brief description of the issue, and clear steps to reproduce and validate the vulnerability. 

Our commitment 

When we receive your report, we will acknowledge receipt promptly, work with you to confirm and assess the issue, and notify you once it has been addressed. 

Guidelines for researchers 

To support a responsible disclosure process, we ask that you avoid accessing or modifying data that isn’t your own, limit your testing to only what is necessary to demonstrate the issue (typically no more than a few records), and wait to publicly disclose the vulnerability until it has been resolved. Please avoid conducting tests that could interrupt services, such as denial-of-service attacks. Do not use social engineering tactics against Kinaxis personnel, customers, or partners. You must comply with all applicable laws during your research. 

Bug bounty 

At this time, Kinaxis does not offer a bug bounty program.

Privacy

Managing personal data responsibly is essential to how Kinaxis delivers secure, compliant services to global customers. Our practices ensure we are meeting our legal requirements and reflect the trust our customers and employees place in us to handle personal data responsibly.

Compliance with global privacy laws

We comply with privacy regulations including the General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable frameworks in the jurisdictions in which they apply. Our Privacy Policy outlines how we collect, use, store, and protect personal information, and explains the rights individuals have under applicable laws. Kinaxis applies data minimization principles across our systems and processes—we collect only the personal data necessary to support our services and limit access based on role and need. Oversight is provided by our Chief Legal Officer, who also serves as our Data Protection Officer, ensuring our privacy practices remain aligned with legal requirements. 

Complying with the GDPR within Maestro 

Maestro can support customers in meeting their obligations under the GDPR. The platform includes tools to help organizations respond to individual rights requests, including the right to access, correct, delete, or export personal data. Administrators can extract personal data in commonly used formats, make updates directly within the system, and configure user notifications to support transparency. 

Requests to restrict or object to processing can be addressed by modifying or excluding relevant data from processing workflows. Personal data is retained only as long as necessary to support service delivery or legal obligations, and is securely deleted or de-identified when no longer required. Where personal data is transferred outside the EEA, Kinaxis relies on Standard Contractual Clauses (SCCs) and other approved mechanisms to ensure appropriate protection. 

Maestro applies privacy and security by design, with technical safeguards such as encryption in transit, identity and access management, advanced threat detection, and disaster recovery planning. As the data controller, each customer is responsible for managing data subject requests within their Maestro environment. Kinaxis provides the tools and support to help meet those obligations.

Individual rights

Kinaxis users may have rights to access, correct, delete, or object to the processing of their personal data. These rights can be exercised by contacting us directly at dpo@kinaxis.com.

Data processing agreement

Our Data Processing Agreement (DPA) outlines the data privacy and protection practices Kinaxis and its affiliated entities follow when processing personal information on behalf of our customers in the provision of our products and services. It covers topics such as data processing roles, security measures, subprocessors, cross-border transfers, and compliance with global privacy laws. The DPA is available as part of our standard contracting materials to support customers in meeting their own legal and regulatory obligations.

Subprocessors

We may engage trusted third party service providers (subprocessors) to support the delivery of our services. These providers are contractually required to meet our privacy and security standards. 

Below is a current list of active subprocessors below, including our own affiliates and third parties. Further instructions for current customers (such as our objection process and update notifications) can be found here.

SubprocessorPurpose / Service providedCountry locationApplied safeguard
Microsoft AzureCloud hosting and applicable infrastructure services.EEA, US, Canada, Japan, AustraliaCertified under the EU-U.S. Data Privacy Framework (US), Standard Contractual Clauses (Australia), Adequacy Decision (Canada, Japan)
Google Cloud PlatformCloud hosting and applicable infrastructure services.EEA, US, Canada, Japan, AustraliaCertified under the EU-U.S. Data Privacy Framework (US), Standard Contractual Clauses (Australia), Adequacy Decision (Canada, Japan)
EquinixData center hosting services (co-location model).EEA, USCertified under the EU-U.S. Data Privacy Framework (US)
VantageData center hosting services (co-location model).CanadaAdequacy Decision
IntermaxData center hosting services (co-location model).The NetherlandsN/A
Quorum Cyber (Formely Difenda)Cyber-security operations center (SOC) services, including security event monitoring. Responsible for identifying potential threats or suspicious activity on the SaaS Services environments and notifying Kinaxis for further action.CanadaAdequacy Decision
Akamai TechnologiesContent delivery network, which allows users to connect to the SaaS Services using the same URL, while establishing an optimal path for performance in their region based on their applicable data center.USCertified under the EU-U.S. Data Privacy Framework
Data hosting locations

Kinaxis hosts customer data in secure data centers located in North America, Europe, and Asia. Our hosting infrastructure includes both private and public cloud environments, with regional availability supported through providers such as Equinix, Google Cloud Platform, and Microsoft Azure.

Cross-border data transfers

Customer data may be processed or stored outside its country of origin. Where required, Kinaxis relies on Standard Contractual Clauses (SCCs) and other legally recognized safeguards to ensure appropriate protection of personal data transferred across borders.

Data retention and deletion

We retain personal data only as long as needed to meet our contractual, legal, or operational requirements. When no longer required, data is securely deleted or de-identified in accordance with our retention policy.

Cookies and tracking technologies

Kinaxis uses cookies and similar technologies to operate and improve our website, personalize content, and analyze usage patterns. For more details or to manage your preferences, please refer to our Privacy Policy.

Questions or requests

If you have questions about our privacy practices please contact privacy@kinaxis.com. To exercise your rights, please contact our Data Protection Officer at dpo@kinaxis.com.

Legal

At Kinaxis, our legal practices reflect a commitment to ethical business, innovation, and compliance. This section outlines how we structure our contracts and policies to support transparency and responsible operations globally.

Agreements

Kinaxis uses a focused set of agreements designed for enterprise customers. Our contracting framework includes a Non-Disclosure Agreement (NDA) for early-stage discussions and documentation requests, a SaaS Agreement that governs access to and use of the Maestro platform, and a Professional Services Agreement (PSA) for consulting and implementation work. 

The SaaS Agreement is supported by an Order Form and includes our Support Guide, Security Guide, availability SLA, and  Data Processing Agreement

Statements of Work (SOWs) issued under the PSA define specific project details.

Policies

Kinaxis is committed to operating with integrity, transparency, and respect for people and communities. Our global policies reflect the standards we uphold across our business and supply chain, and help guide how we engage with employees, partners, vendors, and the broader public. 

The following policies are available here in the Trust Centre: 

Code of Conduct – Sets out the high standards of ethical behavior we expect of everyone at Kinaxis. The code applies to directors, officers, and employees and is a core document to help the team apply our values to every business transaction and every business relationship to help Kinaxis grow rapidly in an ethical, sustainable, and safe manner. 

Vendor Code of Conduct – Summarizes Kinaxis’ expectations of third parties providing products or services to Kinaxis (including vendors, partners, consultants, and contractors) and reflects Kinaxis’ concern for all individuals, including its vendors’ workers. Local customs and laws vary by country, but the importance of human rights is universal, and this code is intended to reflect that importance. 

Human Rights Policy – Human rights are rights inherent to all human beings, without regard to race, color, religion or creed, sex, sexual orientation, or any other protected grounds. This policy affirms our commitment to upholding human rights across our operations. 

Anti-Bribery and Anti-Corruption Policy – Sets out Kinaxis’ commitment to full compliance by its officers, directors, employees, consultants, contractors, agents, and third‑party service providers with Canada’s Corruption of Foreign Public Officials Act and any local anti‑bribery or anti‑corruption laws that may be applicable. The policy complements our Code of Conduct and 

Whistleblower Policy – Outlines the procedures in the event of any complaints or concerns of employees regarding accounting and auditing matters, violations of Kinaxis’ Code of Conduct, or any applicable law, rule, or regulation. Complaints or concerns can be made anonymously if desired, and retaliation by the board, management, or any other person or group, directly or indirectly, is strictly prohibited. 

UK Modern Slavery Statement – Details our approach to identifying and mitigating the risk of forced labour and human trafficking in our business and supply chain.

Accessibility Policy – Describes our commitment to accessibility and inclusion, including how we meet applicable legal requirements. 

Privacy Policy – Explains how we collect, use, and protect personal information in compliance with global privacy laws. 

Terms of Use – Outline how you may access and interact with the Kinaxis website and its content. It covers important information about rights, limitations, and acceptable use. 

These commitments reinforce our values and help ensure we operate responsibly, ethically, and transparently.

Patents

Innovation drives everything we build at Kinaxis, and we protect it with intention. Our patented technologies underpin the intelligent planning capabilities behind Maestro. By actively investing in intellectual property, we’re not just securing our ideas – we’re helping our customers stay ahead of disruption, adapt with confidence, and continuously innovate in a world that doesn’t stand still.  

We hold a broad portfolio of patents in the United States, Canada, and internationally, with additional applications pending, including the following:  

United States

#7,610,212,  #7,698,348, #7,945,466
#8,015,044,  #9,292,573, #9,710,501
#10,467,337,  #10,776,260, #10,832,196
#10,846,651, #10,936,501,  #11,138,233
#11,144,522,  #11,188,856,  #11,288,179
#11,308,115, #11,361,276,  #11,423,347
#11,481,393,  #11,514,328,  #11,526,899  
#11,537,825,  #11,556,470, #11,669,442
#11,665,204, #11,868,363, #11,868,402
#11,868,746, #11,875,367, #11,886,514
#11,887,044, #11,900,259, #11,928,616
#11,954,771, #11,977,861, #12,039,564
#12,045,851, #12,079,121,#12,118,482
#11,853,325, #11,853,279, #11,748,678
#11,775,913, #11,714,758, #11,734,185
#11,836,090, #11,775,433, #11,727,460
#12,154,013, #12,189,619, #12,271,920
#12,346,921, #12,321,348, #12,307,375
#12,306,810, #12,354,061, #12,360,971
#12,361,612, #12,367,189, #12,386,848
#12,393,907, #12,412,137, #12,417,248
#12,430,336

Japan

#4393993, #6975866, #7245961 
#7478318, #7485760, #7401619 
#7503718, #7654649

Canada

#3,018,881, #3,154,379, #3,154,982 
#3,110,889, #3,174,610, #3,171,900

India

#255768 and #279101 
Other patents are pending. 

This patent listing is designed to meet virtual patent marking requirements in applicable jurisdictions, including under the America Invents Act (35 U.S.C. §287(a)). Our patent portfolio evolves alongside our technology – patents may be filed, issued, licensed, updated, or retired over time. While we update this list regularly, it may not reflect real-time changes. The absence of a specific patent does not limit Kinaxis’ ability to enforce its rights.  

Last updated: Oct 8, 2025

Trademarks

Kinaxis®, Kinaxis Maestro®, RapidResponse®, and MPO® are trademarks or registered trademarks of Kinaxis Inc. in Canada, the United States, and other jurisdictions. Use of Kinaxis trademarks must follow applicable laws and our trademark usage guidelines. They may not be used in a way that implies endorsement or partnership without our prior written consent. For clarity and readability, we may occasionally omit trademark symbols (™ or ®), but all rights are fully reserved. 

Trademarks of other companies mentioned on this Trust Centre belong to their respective owners. 

To request permission to use a Kinaxis trademark, contact us at legal@kinaxis.com.

Insurance

Kinaxis carries and will maintain appropriate insurance coverage to support our business operations and contractual commitments. Our policies align with industry standards for enterprise SaaS providers and include coverage such as commercial general liability, professional liability (errors and omissions), and cyber liability. Certificates of insurance are available to customers upon request.

The content on this page reflects Kinaxis’ current practices and policies and is not intended to create any contractual commitments or warranties. For legally binding terms, please refer to your signed agreement with Kinaxis.