Security at Kundo
Security of our customers' data is a main priority at Kundo. This document describes our security processes and how we work with security in general.
This document is updated whenever new security policies are added to our processes.
Note that individual customers might have additional safeguards in place as part of their agreement with Kundo. Text in a separate signed agreement supersedes this document.
Responsible for all security work is Emil Stenström, Product Manager at Kundo. For any security related question, contact firstname.lastname@example.org.
All customer data is stored on Amazon's services, strictly within the EU. All access to Amazon is strictly made through encrypted connections.
The customer have ownership of all data that they have stored as part of the service. If the customer terminates its subscription with Kundo, Kundo will deliver a full data dump in a standardized format.
Upon termination of the contract all data on Kundos services that belongs to the customer will be deleted within 30 days. Within another 30 days all data is also removed from all backup systems.
All customers should do their own risk classification of the data they store in Kundo's systems.
This list of statements about the data we store can be used to assess the risk level:
- Kundo stores customer information about the users. The information includes the name, e-mail address, and IP-number of each interaction.
- Kundo also stores the name, e-mail address, and hashed password for each logged in editor in the system.
- Kundo stores the contents of each user's questions, which can include sensitive information, that will then be stored in unstructured form with us. Editors are responsible to prune information that users accidentally posts to Kundo.
- Kundo stores information about how its services have been accessed in the form of log files. These log files exist for 30 days and are then deleted.
- Some of our customers store extra data for each user such as membership numbers or social security numbers. If that is the case, that information should be included in the risk assessment.
All Kundo employees share responsibility for customer support. To make the customer support flow efficient, all employees have access to customer data. This is frequently needed to quickly answer questions from customers.
All employees are given a walkthrough of our security policy upon employment, and are required to follow the procedures outlined there strictly.
Kundo does not have a separate security organization but instead require all employees to be part of keeping our customers' data safe at all times.
As part of Kundo service, several external services are used by Kundo. Before a new service is added its security implications for Kundo is carefully vetted, for instance regarding proper use of encrypted communication and data storage policies.
Full list of external services that use customer data:
- Amazon - This is our main hosting provider. Added: 2016-06.
- Pusher - Handles infrastructure for Kundo's chat product. Added: 2016-08.
- Cloudamqp - Handles internal communication between our apps. Added: 2016-09.
- Sendgrid - Sends all our outgoing email, including editor notifications. Added: 2014-06.
- Google Analytics - Keeps track of which pages visitors go to. Added: 2014-06.
- Sentry - Used for internal error logging and debugging. Added: 2015-07.
- New Relic - Used for internal error logging and debugging. Added: 2014-09.
- Gravatar - Shows an avatar for users that have explicitly uploaded one to their service. Added: 2015-07.
- Stopforumspam - External service used to check if a message received by us is spam. Added: 2015-03.
- Akismet - External service used to check if a message received by us is spam. Added: 2014-03.
Kundo stores personal information and is therefore subject to Swedish law (Personuppgiftslagen 1998:204). Kundo is in compliance will all requirements following that storage.
Logging is done within Kundo's systems mainly for debugging purposes. Logs are only available to Kundo employees.
Examples of data that is logged in our systems:
- All web traffic to each public context hosted by Kundo, including IP and web browser
- All login attempts made at the SSH level against our servers
- All errors that occur thanks to usage of the service
- All e-mails sent by the service
- All backups saved, including the specific point in time they were made
A customer can ask for logs pertaining to their own use in the system given that the customer covers that cost and that Kundo agrees. Full logs can not be handed over since they may contain data the originates from other customers of Kundo's system.
All logs are automatically deleted after 30 days.
Computer clocks are regularly synchronized to make sure all timestamps are as exact as possible.
Kundo owns no physical servers and instead rents them from external services. In our case Amazon is responsible for the physical security of the servers.
Gaining access to the Kundo office where we work day-to-day does not automatically give anyone access to any of our services.
Kundo has monitoring setup for all critical infrastructure. The goal of the monitoring is specifically focused on security but also performance and to find unusual traffic patterns.
All data transfer happens digitally, so no physical transfer of data is ever conducted.
All traffic flows and to, from and between our services are encrypted, including all employee access to sensitive data.
All encryption, access, and otherwise secret keys are stored in encrypted form and are only available on the specific environment where they are used.
We continuously monitor industry standards and make updates to our setup accordingly.
There are three different kinds of users of Kundo's systems:
- Visitors can ask questions and comment on other's questions. If the customer only uses Kundo products without an interface for visitors (Kundo Mail), this role does not apply.
- Editors can edit and deleted questions and comments in the specific context they have given access rights in.
- Administrators are employees at Kundo and have access to all data in all contexts.
Access rights for different kinds of users:
- Editors must login with an e-mail address and password to access the service.
- Administrators must also log in, but need to have first been given administrator access by another administrator.
- To gain physical access to the servers an administrator needs to identify with Two Factor Authentication.
- It's possible to limit the access of both visitors and editors based on a custom integration scheme. If you are interested in this, contact us for more detailed information. The most straightforward custom integration is to only allow access for users that originate from a specific IP-range.
Day to day administration of who has editor access is controlled by the customer. If assistance is needed from an administrator the customer can ask for help through the normal support channels.
If an intrusion attempt that affects customer data is detected the customer is promptly contacted.
Security solutions are based on industry best practices for protocols, authentication and encryption. We don't build our own security solutions and instead trust the proven work of others.
Software development is conducted in a way that ensures high quality, with testing built into the process throughout the process. All code is checked by at least two developers before being set into production.
Environments used for testing are clearly separated from production systems.
In the case of any security incident that affect customer data, the customer will be promptly contacted.
Kundo has a process in place for when a service disruption occurs, and how to debug and get the service up and running as quickly as possible.
Kundo always answers questions about compliance to this document promptly through our normal support channels. This does not incur any cost for the customer.
A customer can ask for logs pertaining to their own use in the system given that the customer covers that cost and that Kundo agrees.
Customers have the right to let a third party perform an external security review of Kundo's systems. Before this is done the customer should notify Kundo about the extent of the review. If a customer performs a security review of Kundo's systems. The customer owns the result of the security review, but Kundo reserves the right to read the findings in order to improve the security for all our customers.
Several such reviews have been performed by customers, and all weaknesses have been promptly patched.
Kundo is responsible for protecting our customers' data from unauthorized access. All data transfer is protected by secure and encrypted protocols.
In the cases where Kundo exposes some part of the information on the internet, we use TLS to encrypt data during the transfer. Automated tools are used to verify that encryption adheres to industry standard.
Private keys for our certificates are stored with an extra layer of encryption. Any private keys that are suspected of being tampered with are immediately discarded and new keys are generated.
Passwords are never stored in plaintext in Kundo's systems. Instead they are stored hashed with a strong hashing algorithm. This means that Kundo employees have no way of seeing or accessing the plain text version of the passwords stored.
Passwords are never sent directly to an editor. Instead a time-limited single-use activation key is generated, and is sent to the editor via e-mail. The editor then uses the activation key to set their own password in the system.
Password resets are handled by generating a new activation key that the editor uses to set a new password.
Account information are now disclosed on the login page (or within error messages on the login page), only that the current combination of username and password is incorrect. This prevents information disclosure attacks where an attacker uses the login page to enumerate valid users in the system.
No standard passwords are used, all editors create unique passwords. All system accounts (including all Kundo employees) have long randomly generated passwords. System accounts are always tied to a specific application.
Passwords are never stored on the client. Passwords are never stored in logs. Passwords are never stored in session variables or cookies.
Application development security
Here's a list of specific application development practices that we follow:
- Debug functionality is always disabled in the production environment.
- The application is protected no matter what entry point an attacker uses, not only the start page.
- Usage of Kundo does not require administrator privileges on the user's computer. A normally configured web browser is sufficient.
- User input is always validated on the server side, never just on the client side.
- Validation is always done with whitelists, not with blacklists.
- User input is validated with respect to format, length, and general sanity.
- User input does never consist of filesystem paths, directories or session information to avoid security issues stemming from that.
- Sensitive data is always sent as HTTP POST data to avoid it being logged in browser history and server log files.
- All access control are done serverside, not clientside.
- While uploading files, only a whitelist of file formats are allowed. The max size of files are controlled for. The number of files are controlled for by regularly removing invalid ones.
- All database access is done through an ORM that protects against SQL injections.
- All template variables are by default escaped to avoid XSS attacks.
- Special consideration is taken to make sure a user can't break out of the application and get access through the underlying system.
- The company that stands behind this document and provides the services.
- Person employed at Kundo.
- The company that has bought the service from Kundo and has signed the contract.
- A user that sends support questions to the customer through Kundo's systems.