We employ a dedicated Information Security Officer responsible for our Security Program, in order to centralize the coordination of Information Security throughout our organization.
We are working towards achieving ISO/IEC 27001:2013 certification which applies the guidelines and general principles defined in ISO 27002 for implementing, maintaining, and improving a risk-based Information Security Management System within an organization.
Physical, technical, and administrative safeguards are maintained to help protect the confidentiality, integrity, and availability of data that our customers submit to our platform.
Hosting & Partnerships
We take great care in order to maintain our service in good standing and we select only qualified service organizations. Partners are screened through our “Third-Party Assessment Questionnaire” and always carry out background checks.
The servers we use are hosted with ISO 27001 and SSAE SOC1 & SOC2 accredited service provider data centres provided by Amazon Web Services (AWS).
Layered Security Infrastructure
Klokbox applies a layered security model. Different zones (Production, Staging, Test & Development) in this model are separated through VLANs. Between network segments, network filters are in place through which only necessary traffic can pass. All traffic between zones is registered and monitored. Continuous external vulnerability scanning is performed in order to secure the network, systems, and applications.
Identity and Access Management
Users access the application by providing their username and password in a secure form. Credentials are encrypted in transfer and passwords are validated by comparing the hashed value with the value stored in the database.
The Klokbox platform supports secure logon procedures and allows users to configure the level of password security. The Klokbox solution offers the following settings for setting password complexity:
- New passwords must be unique over the last 6 months
- New passwords must be different from the previous 5 passwords
- Passwords must be at least 8 characters long
- Passwords must include letters in mixed cases as well as numbers
- Passwords must include at least one non-alphanumeric character
- Passwords expire after 180 days
The Klokbox app applies an account lock in case of incorrect password attempts. The number of attempts is limited to 5/hour. Identity and access management for the Klokbox service is performed by one or more customer-designated administrators.
Encryption for data in transfer and at rest
The Klokbox service always requires SSL/TLS between the client (browser & mobile apps) and server. Additionally, encryption is applied in order to protect data at rest. All administrative functions towards Klokbox servers in the data centre are performed over encrypted channels. These include SSH, SSL/TLS, or VPN over IPSEC.
Security in the Software development lifecycle
Klokbox applies an Agile Development Lifecycle and incorporates security throughout this process. The SDLC includes a requirements review (security, privacy, process, functional), design review (threat modelling and analysis, security design review), development controls (static analysis, manual peer code review), testing (dynamic analysis, automated testing, 3rd party security vulnerability), and deployment controls (security, confidentiality, integrity, and availability code reviews, canary release process).
Klokbox’s infrastructure is designed to eliminate single points of failure. The data centres use multiple internets feeds from multiple providers, ensuring that any kind of outage does not impact Klokbox services.
The network is designed in a redundant way to reduce the impact of the availability of the platform. Failure and redundancy tests are performed during the implementation phase and as needed throughout the lifecycle
To ensure the high availability of the Klokbox platform, tools are in place to monitor the application performance. Alerts are triggered automatically when certain thresholds get breached. Customer data is securely backed-up to a disaster recovery data centre. This provides the ability to restore the Klokbox service in the case of a catastrophic event.