Security and Privacy
This section outlines the measures and policies in place to ensure organizational security across our employees as well as physical and digital assets.
- ISMS: We have implemented ISMS for ensuring Security at various level.
- Employee Onboarding: All our onboarded Employees go through proper background check by an authorized agency
- Employee Awareness: Security and Privacy terms are explained to the employees and part of their contract. Periodic conduct of Sessions
- Endpoints Security: All the endpoints and their logins are controlled by the industry standard end point security management software/professionals.
- Responsibilities and Accountability: Access to the organizational resources by Teams and individuals are controlled and managed by Policies
- Internal Auditing: Regular Internal audit to ensure the organization is complaint
This section outlines the protective measures and protocols implemented to safeguard the physical and virtual components of an organization’s IT environment, including networks, servers, and data centers.
- Firewalls: We implement firewalls for all external traffic. Proper network segmentation and access groups between servers done. All changes to network are reviewed and approved
- Isolation: All our production environment is completely isolated and access is managed as per security policy
- Hardened Servers: Operating systems of our servers are hardened with appropriate access given to users
- Intrusion detection and Prevention: All our servers are monitored at the network points. All incoming traffic are monitored through WAF. We have implemented various controls like IP routing, blacklist/whitelist, rate limiting.
This section outlines the practices and controls put in place to identify and mitigate vulnerabilities in software applications, preventing unauthorized access and data breaches. It is controlled across six areas – Authentication, Session Management, Authorization, Confidentiality, Integrity, and Accountability and Administration
We have implemented protocols in place ensuring only an authenticated user access the application and data
- Multiple authentication schemes: All our user activities should be authenticated by one of the authentication schemes below.
- User id/Password
- Oauth (Google / Microsoft)
- Hooks for enterprise SSO
- Different authentication scheme for different tenants possible.
- Second factor Authentication: All our platforms have second factor authentication implemented by any one or both as outlined below.
- SMS/Email OTPs
- Provision to enable/disable by tenant
- Forgot Password: Our users are provided with the option to reset password by self.
- API Authentications: Our platforms have three different API authentications
- Oauth tokens for applications trying to connect through APIs
- Provision for Refresh tokens, access Tokens
- API options at user level or at tenant level
- Tenant ownership: If there is domain restriction enabled, only one user can be tenant owner
We have implemented protocols in place to manage user sessions within our application, ensuring secure and seamless user interactions while preventing unauthorized access.
- Session Management
- Session is created upon successful authentication
- Separate sessions are maintained for login from different devices.
- Sessions contain user information and for all server access it should be validated.
- All sessions time outs (Idle time out as well as absolute time out) at tenant level also.
- There is a provision for customer to choose to remember devices.
- We rotate session id periodically
- Handling vulnerabilities
- Broken Session Management (session id hijacking – never have it in the URL, each session should contain clearly identifiable user)
- Avoiding brute forcing (strong password standards)
- Broken Access control (with in tenant or across tenant)
- Unvalidated inputs (Common framework to control inputs, include in APIs too)
- Cross site scripting
- SQL Injection
- Insecure Storage (User passwords, Keys, PII data, etc.)
- Denial of service (Concurrency, Volume)
We have implemented protocols in place ensuring only authorized user access the function and data.
- Roles within Kea
- Below are some of the roles expected in Kea
- Tenant owner/admin – User creating new tenants
- Tenant user – user invited to the tenant
- Below are the roles for Datasets
- Dataset owner – User creating data set
- Collaborator – User invited to edit/reupload and view data
- Viewer – User invited to only view data.
- Below are some of the roles expected in Kea
- Function level authorization
- Users are assigned with Roles
- Roles are assigned with Page/Function/Action level access
- There is provision to upgrade access based on authentication scheme.
- Data set level authorization
- Only Dataset owner or collaborator can update, edit data or invite other users
- Users can have different roles for each data set
- If there are domain level restrictions, it is shared only with in the domain users
We have ensured the data confidentiality is maintained and PII data is not accessible during transmission and storage.
- PII data is encrypted all the time (storage, network)
- Logs are aware of PII data and should not log them
- Keys all are vaulted and Developers do not have access to them
- Application access to databases are secured using keys which are vaulted
- Support access are read only and the same to be audited whenever accessed
We have ensured the integrity of user activity and data are never compromised.
- Non repudiation
- Data not tampered along network or in storage (Necessary checksums)
- Codification/Encoding/Encryption of Data.
- Validations by whitelisting
Accountability and Administration
We have protocols in place for Auditing and Traceability of all events and data access.
- User Management: Below features needed in User Management.
- See current users / devices logged in
- Disable/Enable user
- Stop session
- Reset password
- Add/Remove Roles
- Assign functions/actions to Roles
- Activity logs viewing
- Audit logs viewing
- Searching for events
- Transactions anomalies
This section outlines the comprehensive measures and protocols designed to protect data from unauthorized access, disclosure, alteration, or destruction.
- Data Reliance
- Avoidance of Data loss (Mirroring Data, Snapshots, Backup/Recovery Strategy, and Implementations)
- Data Access audit (Data lineage, Audit of all data access)
- Data breach detection and responses
- Detecting suspicious activities
- Automated alerts
- Detecting and reporting unauthorized access
- Monitoring Data types, identities, and behaviors
- Data classification and cataloguing
- PII / Restricted
- Data erasure
- User should be able to completely wipe out data
- How physical storage would be managed?
- How backups would be managed?