Security Statement
Browsers & Screen sizes
KaizApp® is currently available on 2 browsers: Google Chrome, Microsoft Edge.
Suitable screen sizes include: Mobiles, tablets, desktop computers.
Cloud infrastructure
All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our service is built on Amazon Web Services (AWS). They provide strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices at:
https://aws.amazon.com/security/
Business continuity and disaster recovery
We back up all our critical assets in near real time and store backups for at least 7 consecutive days, while confirming restoration effectiveness on a regular basis. All our backups are encrypted and stored within AWS.
Secure development
We develop code which minimises the OWASP Top 10 most critical web application information security risks. We follow best practice to ensure the highest level of security in our software and we review our code for security vulnerabilities. We regularly update our dependencies to ensure that none of them have known vulnerabilities.
Penetration Testing
We commission external penetration testing of our applications on an annual basis and implement any findings based on assessment of risk without delay. We use a penetration test partner whose specialised field is banking and financial application security.
Application security protection
We use a runtime protection system that identifies and blocks the OWASP Top 10 (web application information security risks) and business logic attacks in real-time. We use security headers to protect our users from attacks and security automation capabilities that automatically detect and respond to threats targeting our apps.
Application security monitoring
Members of our team are experts in security and incident response, and are active 24/7 monitoring KaizApp®. We use security monitoring solutions with real time alerts to get visibility into our application security, identify attacks and respond quickly to any breach. Any security anomalies triggered are reported with technical context to help our engineers take swift action and also to support continuous improvement of our code. Our team can assess the impact of attacks and monitor suspicious activity. We use technologies to monitor exceptions and logs, as well as to detect anomalies in our applications. We collect and store logs to provide an audit trail of our applications activity. We use monitoring such as open tracing in our microservices.
Account takeover and User protection
We protect our users against data breaches by monitoring and blocking brute force attacks.
2 Factor Authentication
We provide a 2-factor authentication to protect against unauthorised access. With 2FA active, knowing a user’s email address and password alone will not be sufficient to gain access. KaizApp 2FA uses free and secure authenticator apps (e.g. https://authy.com).
Password Protection Strength
Minimum 12 character passwords are mandatory.
Domain-based access control
KaizApp® is a business application for enterprises. Users can only be invited to access a KaizApp® account using their business email address. KaizApp® does not support access using public email addresses, which are blocked. Each email domain must be specifically registered within your KaizApp® account (e.g. domain.com, domain.co.uk, domain.de, domain.at etc…), prior to being able to add employees using those domains. This brings certainly that only employees of domains registered with a KaizApp® account can be added as users.
User access levels
KaizApp® supports a range of levels of user, each having permission to access different information.
ISO/IEC 27001:2013 Information Security Management System
We operate an Information Security Management System as part of the way we work. We are ISO/IEC 27001:2013 certified. This standard provides a framework for establishing, and maintaining an information security management system (ISMS) to secure sensitive information through a risk management process that combines IT systems, people, processes and physical security. KaizApp AG is committed to the continuous improvement of its information security systems. We achieve this by building the management of security into our daily, weekly and monthly routines.
GDPR
We are certified compliant to the General Data Protection Regulation (GDPR) for all our accounts and users, no matter their location. The purpose of GDPR is to protect the private information of users and provide users with control over their data. KaizApp AG is committed to the continuous improvement of all aspects of data protection.
Data retention and removal
Account information
We retain your usage data for a period of upto 90 days after account cancellation.
Personal information
Every user can request the removal of personal data by contacting their KaizApp® account owner (their data controller). KaizApp provides the functionality for account owners to delete users and all data that may identify them but not by default delete those users’ contributions.
Data Transfer
Other as than outlined above, KaizApp AG does not use any 3rd party providers to process any customer account nor user data (other than Stripe for monthly payment plans). Any and all data processing is carried out internally by KaizApp AG.
Payment information – Monthly accounts paid by Credit card
All payment instrument processing for monthly plan payments is securely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. KaizApp AG does not collect any payment information (Stripe does this on our behalf) and we are therefore not subject to PCI obligations.
Employee access
All our employees sign a Non-Disclosure and Confidentiality Agreement when joining the company to protect our customers’ sensitive information. Our strict internal procedure prevents any employee or administrator from gaining access to user data other than as permitted and controlled by the procedure. Under the procedure the number of employees with access is absolutely minimised. Permitted reasons for access include where specific approval is granted for customer support purposes.
KaizApp® – AWS Security Description
KaizApp® runs on AWS using an architecture design that follows AWS Well Architected principles. Administration access to the environment is tightly controlled with no direct SSH access to the production environment. Deployments are handled using CICD pipelines from KaizApp®’s version control repository.
The networking tier consists of three separate subnets – public, private and data – the recommended configuration in line with defence at depth methodologies. The public subnet is the outer layer exposed to the internet and contains the environmental proxy services including application load balancer and Nat Gateways.
The private tier contains the EC2 instances which provide access to the application. This layer is configured to communicate with the proxy services only and not the outside world. EC2 instances are ephemeral in nature and are configured to rebuild regularly on an automatic schedule, limiting the effective lifespan of vulnerability. Furthermore there are no public IP addresses assigned to the EC2 instances visible on the internet. The data tier provides a further layer of segregation and is where the database services for KaizApp® are located. These are only configured to communicate with the application tier and do not have internet access.
Flow logging is enabled to log network traffic. To protect data in transit AWS Certificate Manager is deployed to manage SSL/TLS certificates. Such certificates are considered safer than traditional SSL certificates as they are cycled on a 3 monthly rolling basis. The application is configured by KaizApp AG to utilise AWS Parameter Store, a secure alternative to embedding hardcoded credentials within the application making it harder for any potential attackers to gain access to the database via the application. Patching of the environment is handled on a weekly basis by AWS Systems Manager. Furthermore IDS (Intrusion detection) is enabled via AWS Guard Duty at the account level.
All user data is encrypted both in transit and at rest. AWS Shield is on. DDoS is applied amongst other other related protections.
Overview (https://www.youtube.com/watch?v=q6WlzHLxNKI)
Availability & AWS management
KaizApp® performance is monitored 24 hours per day and 7 days per week with proactive issue detection by professional AWS services and maintenance specialists.
KaizApp® is served from the cloud via AWS (Amazon Web Services) with data stored in Dublin. Multi-factor encryption is used to access AWS and other software services. KaizApp® service availability exceeds 99.99%.
Your Responsibilities
Keeping your data secure necessitates that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security of your own systems.
Breach Notification
No service can guarantee absolute security. If KaizApp AG learns of a security breach, we will notify you and affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under the GDPR regulations. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.
Undisclosed Security
KaizApp operates many other security measures and practices which shall remain undisclosed.
ISO27001
ISO/IEC 27001:2013
KaizApp is ISO/IEC 27001:2013 certified. We operate an Information Security Management System as part of the way we work. This standard provides a framework for establishing and maintaining an information security management system (ISMS) to secure sensitive information through a risk management process that combines IT systems, people, processes and physical security. KaizApp AG is committed to the continuous improvement of its information security systems. We achieve this by building the management of security into our daily, weekly and monthly routines.
ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) in 2005 and then revised in 2013. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organisations make the information assets they hold more secure. A European update of the standard was published in 2017. Organisations that meet the standard’s requirements can choose to be certified by an accredited certification body following successful completion of an audit.
How the standard works
ISO/IEC 27001 requires that management:
- Systematically examine the organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security controls continue to meet the organisation’s information security needs on an ongoing basis.
Note that ISO/IEC 27001 is designed to cover much more than just IT. What controls will be tested as part of certification to ISO/IEC 27001 is dependent on the certification auditor. This can include any controls that the organisation has deemed to be within the scope of the ISMS and this testing can be to any depth or extent as assessed by the auditor as needed to test that the control has been implemented and is operating effectively.
Certification
An ISMS may be certified compliant with ISO/IEC 27001 by a number of Accredited Registrars worldwide. Certification against any of the recognised national variants of ISO/IEC 27001 (e.g. JIS Q 27001, the Japanese version) by an accredited certification body is functionally equivalent to certification against ISO/IEC 27001 itself. In some countries, the bodies that verify conformity of management systems to specified standards are called “certification bodies”, while in others they are commonly referred to as “registration bodies”, “assessment and registration bodies”, “certification/ registration bodies”, and sometimes “registrars”.
The ISO/IEC 27001 certification, like other ISO management system certifications, usually involves a three-stage external audit process defined by the ISO/IEC 17021 and ISO/IEC 27006 standards. Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended.
Structure of the standard
The official title of the standard is “Information technology — Security techniques — Information security management systems — Requirements”
ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover:
1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organisational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system’s performance
10. Corrective action
Annex A: List of controls and their objectives
Controls
Clause 6.1.3 describes how an organisation can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls.
There are 114 controls in 14 groups and 35 control categories:
A.5: Information security policies (2 controls)
A.6: Organisation of information security (7 controls)
A.7: Human resource security – 6 controls that are applied before, during, or after employment
A.8: Asset management (10 controls)
A.9: Access control (14 controls)
A.10: Cryptography (2 controls)
A.11: Physical and environmental security (15 controls)
A.12: Operations security (14 controls)
A.13: Communications security (7 controls)
A.14: System acquisition, development and maintenance (13 controls)
A.15: Supplier relationships (5 controls)
A.16: Information security incident management (7 controls)
A.17: Information security aspects of business continuity management (4 controls)
A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
The controls reflect changes to technology affecting many organisations—for instance, cloud computing—but as stated above it is possible to use and be certified to ISO/IEC 27001:2013 and not use any of these controls.
GDPR
GDPR – KaizApp AG is certified compliant
Continuous Improvement
We are committed to the continuous improvement of all our processes and particularly GDPR and Security. As such we operate an open, non-hierarchical culture where employees are encouraged to identify improvements and collaborate to deliver them.
Certified Compliance
KaizApp is fully GDPR certified and processes data lawfully in accordance with the data protection directive. We do not adopt a policy of ‘local standards’ where companies from different geographies are treated differently. KaizApp applies the GDPR standard to all accounts of all companies from all jurisdictions. KaizApp is also ISO/IEC 27001:2013 certified. Prior to earning GDPR certification KaizApp updated its Privacy Policy, Terms and Conditions of Business and Cookie Policies as published on our website to show our activities are legal, secure and transparent.
Technical Security Measures
Please read “For CIOs”.
Data Breach Notification Policy
Data breaches (should any occur) will be reported to you and to the relevant authorities within the required time frame.
Consent to Services
Use of our services requires each employee to take positive action to ‘opt-in’. Having ‘opted in’ to our services, any email notifications which are part of our service including updates on actions, progress and communications from colleagues can be stopped at any time by opting out of such notifications in the user profile. Users can turn these services back on at any time. Users are in full control at all times. You can revoke access to KaizApp services for any employees leaving your company with a single click.
KaizApp as the Data Processor
The employees you add to KaizApp as users are your data subjects, and you are considered the data controller for their personal data. Using KaizApp to manage your performance improvement means that you have engaged KaizApp as a data processor to carry out certain processing activities on your behalf. According to Article 28 of the GDPR, the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of the same Article).
KaizApp as the Data Controller
Additionally, KaizApp acts as the data controller for the data we collect about you (limited to the identity of your company and the nominated ‘account owner”). First and foremost, we process data that is necessary for us to perform our contract with you (GDPR Article 6(1)(b)). Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c)) — this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR. Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).
What are KaizApp’s legitimate interests?
Improving the app and our services to help you reach new levels of productivity.
Making sure that your data and KaizApp’s systems are safe and secure.
Subject to your approval, providing customer support to your employees.
Responsible marketing of our product and its features.
Responding to data subject requests
Meeting any regulatory requirements placed on us (e.g. accounting requirements)
Transfers
User data is retained in AWS and is not transferred to any other organisation for any external processing. All processing is retained within KaizApp AG and not outsourced, with one notable exception which applies to monthly payment processing for smaller accounts paid by credit card. In this case information about the company and the name of the account owner are transferred to Stripe purely for the purpose of payment processing (Stripe are legally compliant and certified to process payments.).
Data Subject Requests
You as the employer are the data controller of your subjects. Any requests received by KaizApp from data subjects (your current and former employees) will be forwarded to you for your direct response to them. KaizApp will not respond to your data subjects but will forward any requests received from them to you. You have the controls and facilities within KaizApp to inform current and former employees of any personal data you hold about them and where necessary to delete users and all their data without KaizApp involvement.
KaizApp’s data subjects are the companies who operate KaizApp accounts. We will be delighted to respond to data requests from current and former account holders. However, please note that on deletion or expiry of your account, or after non-payment (i.e. after all types of termination event) all account data will be permanently deleted within 90 days of termination unless required not to do so by law.
Training
All of the above is supported by training. Discussions and considerations relating to GDPR compliance are integrated into our day to day activities.
Data Protection Officer
Grant Thomas
Contact me using our contact form on our website at KaizApp.com