Kanonik

How pricing works

How Kanonik is priced.

A short explainer for the person deciding whether to buy: what you pay for, how the price is set, and the two pricing choices that affect your data-governance review.

What you are paying for

Kanonik does not charge you for existing. You are paying for the compliance work it produces: drafted policies, control assessments, and the auditor-ready narratives and evidence bundles that a consultant or auditor would otherwise bill you for by the day.

The tiers differ by volume and by the cost ceilings on the AI work, not by headcount or by how many assets, frameworks, or seats you have.

PlanFor
SoloOne practitioner getting a first framework to audit-ready
TeamA security team running an ongoing programme
BusinessHigher volume, higher cost ceilings, priority skill access
CustomAn independent Verifier provider, custom data retention, or procurement and security-review support. Contact us.

Anchored to an auditor day rate, not a platform tax

This is about how the price is justified, not just what it is.

A platform tax is priced on your size: per seat, per asset, per framework, or a percentage of spend. It goes up as you grow, whether or not you get more value, and it has no natural ceiling. That is why teams resent it. It reads as rent on your own growth.

Kanonik is priced against the human labour it replaces. A GRC consultant or auditor bills roughly 1,500 to 3,000 a day. Reconstructing how a control operated over a period into a defensible, reviewer-attributed narrative is work a person would otherwise bill for. So the price is set against that: what you would have paid a human to produce the same output.

Why this matters to you:

  • It gives your finance owner a clean justification: "this replaces roughly N consultant-days a year at X per day." That is a number a CFO can approve.
  • It puts a sane ceiling on the price. You would never rationally pay Kanonik more than the labour it displaces, so the cost cannot run away from the value.
  • It removes the procurement objection that you are being charged for your own size rather than for work delivered.

Bring your own model key, and why it keeps your sub-processor list clean

This one is about data governance and vendor risk. It affects your DPA and your security review, so it usually matters most to your CISO, GRC lead, or procurement team.

The mechanism. Kanonik uses an AI model (from a provider such as Anthropic) to do the reasoning. The question is whose contract that AI provider sits under.

  • If Kanonik routed your data to the AI provider under Kanonik's contract, that provider would become a sub-processor on Kanonik's list. Every sub-processor is a new party your data flows through. It has to be disclosed in the DPA, it widens your vendor-risk surface, it is one more due-diligence item, and it is something you can object to.
  • With bring your own model key, you supply your own key and your own contract with your chosen AI provider. Your data reaches the model under your contract. The AI provider is your direct processor, a relationship you already own and control, and it never appears on Kanonik's sub-processor list. Supported providers are Anthropic Claude, OpenAI, AWS Bedrock, Google Gemini, and Azure OpenAI.

Why this matters to you:

  • A shorter Kanonik sub-processor list means a cleaner DPA and one fewer thing for procurement to clear.
  • You keep control of which model, which region, and which terms govern your data, under a contract you already trust, instead of inheriting Kanonik's choice.
  • For a regulated buyer (fintech, healthtech, or anyone under DORA, NIS2, or the EU AI Act), every disclosed sub-processor is a due-diligence item and a potential objection. Removing one is material.

The escape hatch. If you would rather not manage a key, the Kanonik-paid Verifier is an opt-in add-on: Kanonik supplies and pays for the model. In that case the provider does become a Kanonik sub-processor, but only because you chose convenience over control. The default is control (you bring the key); the add-on is convenience. Kanonik itself remains a sub-processor in either case.

The short version

  • You pay for compliance work produced, benchmarked against what a consultant would charge for it. Not a tax on your size.
  • By default, your AI provider stays your direct contractor and never lands on Kanonik's sub-processor list. If you prefer, Kanonik can run the model for you as an add-on.

Questions about which plan fits, or about the data-governance details for your review? Contact us at [email protected].

ISO 27001:2022 is live today. SOC 2 is next. Bring your own model key on every tier; the Kanonik-paid Verifier is the opt-in add-on.

Priced against the work, not your size.