Data Protection Policy
Updated: June 23rd, 2019
Privacy and Personal Data Protection Policy
General Data Protection Policy
Knowde currently observes the security practices described herein. Notwithstanding any provision to the contrary otherwise agreed to by data exporter, Knowde may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.
- Access Control
- Preventing Unauthorized Product Access
- Outsourced processing: Knowde hosts its Service with outsourced cloud infrastructure providers. Additionally, Knowde maintains contractual relationships with vendors in order to provide the Service in accordance with our Mutual Data Processing Agreement. Knowde relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
- Physical and environmental security: Knowde hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
- Authentication: Knowde implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
- Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Knowde’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
- Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.
- Preventing Unauthorized Product Access
- Preventing Unauthorized Product Use: Knowde implements industry standard access controls and detection capabilities for the internal networks that support its products.
- Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
- Intrusion detection and prevention: Knowde implemented a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
- Static code analysis: Security reviews of code stored in Knowde’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
- Penetration testing: Knowde maintains relationships with industry recognized penetration testing service providers for four annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
- Limitations of Privilege & Authorization Requirements
- Product access: A subset of Knowde’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated periodically. Employee roles are reviewed at least once every six months.
- Transmission Control
- In-transit: Knowde makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the Knowde products. Knowde’s HTTPS implementation uses industry standard algorithms and certificates.
- At-rest: Knowde stores user passwords following policies that follow industry standard practices for security. Knowde has implemented technologies to ensure that stored data is encrypted at rest.
- In-memory: for certain specific, sensitive data types, Knowde encrypts these data in memory.
- Input Control
- Detection: Knowde designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Knowde personnel, including security, operations, and support personnel, are responsive to known incidents.
- Response and tracking: Knowde maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Knowde will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
- Communication: If Knowde becomes aware of unlawful access to Customer data stored within its products, Knowde will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Knowde is taking to resolve the incident; and 3) provide status updates to the Customer contact, as Knowde deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form Knowde selects, which may include via email or telephone.
- Availability Control
- Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
- Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
- Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
- Failover: Knowde’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Knowde operations in maintaining and updating the product applications and backend while limiting downtime