Security and Compliance

October 1, 2016

Keeping your valuable data secure is a top priority at Kemvi and is at the core of how we build our product.

With your authorization, Kemvi reads content from your email account. If you choose, Kemvi can also read content from your Salesforce.com account. To achieve this, Kemvi asks you authorize a connection to your email or CRM.

Kemvi never receives your authentication credentials, and you can revoke Kemvi’s access to your email account and Salesforce.com data at any time from within the application. Kemvi never writes to Salesforce.com or modifies your Salesforce.com account in any way. Kemvi keeps your email data private and secure.

Summary

Kemvi manages its systems in line with security industry best practices, including the ISO 27000 series, which is a global standard that specifies security management best practices and comprehensive security controls.

Kemvi systematically evaluates information security risks and has designed and implemented a comprehensive suite of information security controls that includes access controls, user access management, patching and software upgrades, cryptographic control, physical and infrastructure security, removable media security, network layer security, logging and monitoring, encrypted backups, employee compliance monitoring, and vulnerability and penetration testing.

Kemvi has also adopted an overarching management process to ensure that information security controls remain up-to-date on an ongoing basis.

Infrastructure

All of Kemvi’s infrastructure is housed within Amazon AWS data centers and uses Amazon’s Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3) and Elastic Block Store (EBS) services.

Kemvi maintains no server infrastructure on its premises. No on-premise hardware is ever used to host sensitive customer information.

Amazon AWS control environment

Kemvi leverages Amazon’s certifications and attestations including ISO27001:2005, SSAE16 SOC 1/2/3, and PCI-DSS ROC to provide assurance to Kemvi’s customers of the security of the infrastructure, network, and physical security layers for Kemvi.

To maintain the high level of security it provides to its customers, Amazon does not disclose details about network topology, physical locations, and AWS-specific security procedures to the public.

Amazon personnel do not have logical access to Kemvi’s servers or to the data of any Kemvi customers.

To find more information regarding the security and compliance of Amazon AWS, see http://aws.amazon.com/security/

Physical security

Amazon’s AWS data centers follow and enhance best practices in data center physical security. The exterior physical security is military grade. Personnel who enter the data center are authorized and verified by a government issued ID and two-factor authentication at each entrance point.

Each entrance is monitored by video surveillance, and all access is logged and audited. All visitors and contractors must present identification and are signed in and continually escorted by authorized staff. Amazon AWS does not permit guests or customers to either tour or inspect its data center. Therefore, Kemvi cannot facilitate any type of physical inspection of AWS hosting facilities for customers.

Access control

Kemvi limits privileged access to the servers under its management and to the information on those servers strictly to its full-time operations and support teams. Kemvi grants access to stored data using granular role-based permissions specified according to the principle of least privilege.

Network layer controls ensure that privileged access is always enforced through secure hosts via encrypted tunnel. Authentication for all server management requires multi-factor authentication. Kemvi uses virtual firewalls to restrict all inbound and outbound network traffic. All access control policies are designed to minimize the attack surface in the event of account compromise.

Encryption at rest and in transit

Every account that Kemvi protects receives an AES 256-bit encryption key. All data written for the account is encrypted with that key prior to storage. This ensures encryption at rest.

All authenticated user interaction (login, service configuration, settings changes, accessing archived data) occurs over a 256-bit encrypted channel (SSL). All data transmissions with third-party APIs (e.g. Salesforce.com) occur over a 256-bit encrypted channel (SSL). Together, these restrictions ensure encryption in transit.

Data on physical media

Confidential customer information is never stored outside of the AWS infrastructure or on any removable media, such as a CDs or USB flash drives. No paper media is ever used for printing sensitive customer information.

Customer data is only transferred outside of Amazon’s EC2 environment when necessary to help solve a customer problem or make product improvements. Customer-sensitive information is never served off of laptops, mobile devices, or physical media outside of the protections provided by AWS.

When customer data is deleted, hard drives and other storage media are removed from the data centers only after media have been sanitized to make data unrecoverable. When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals.

AWS uses the techniques detailed in DoD 5220.22-M: National Industrial Security Program Operating Manual or NIST 800-88: Guidelines for Media Sanitization to destroy data as part of the decommissioning process. If a hardware device cannot be decommissioned using these procedures, it is degaussed or physically destroyed in accordance with industry standard practices.

Logging and audits

Kemvi conducts periodic review of audit trails and monitors all systems for intrusion and unauthorized access. Kemvi also implements controls on employees’ access of sensitive information.

Security updates

Kemvi’s servers are kept up-to-date on updates and software patches for all dependencies and installed software. All installed software is authenticated via GPG signature checks.

Security breaches

Forty-seven states of the United States, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information. For a full list of such regulation see security breach notification laws.

Such security breach laws, including Del. Code tit. 6, § 12B-101 et seq., Mass. Gen. Laws § 93H-1 et seq., Cal. Civ. Code §§ 1798.29, Cal. Civ. Code §§ 1798.80 et seq., N.Y. Gen. Bus. Law § 899-aa, and N.Y. State Tech. Law 208, protect state residents by requiring that specific breaches of personal information are promptly disclosed.

However, in general, they protect only “personal information” in the form of personally identifiable social security numbers, drivers license or state ID numbers, financial account numbers, credit and debit card numbers, and health insurance data.

Kemvi collects no data of that kind and is compliant with all such security breach legislation that define personal information as described above.

Furthermore, Kemvi’s commitment to data security extends beyond what is legally required by protecting sensitive customer information separate from what is mandated by state privacy breach regulations. Kemvi commits to prompt notification of any affected customers if Kemvi experiences a breach that affects their unencrypted data.