Security

Introduction

At Kadanza, we take data security very seriously.

Data security is an integral part of our global operations. In fact, information security is a vital part of our platform and organization, and it is ingrained in our people, processes, and technologies.

Our approach is straightforward: every employee is properly trained on the use of our different information classification levels to make sure all data is handled safely. They are responsible for information security, including protecting:

• Information assets
• Customer and partner information assets
• Business methodologies and knowledge
• The underlying technology infrastructure

We further ensure the safety of customer data by restricting employee access to our production environment. Access to any Kadanza installation besides our own is managed via a Just-In-Time (JIT) principle. In case we have to provide support and access a customer’s installation.

As a cloud company, we’ve also invested heavily in:

• Maintaining and growing our cybersecurity capabilities
• Building a dedicated compliance team who provides independent assurance that our information security program meets and even exceeds national and international security standards and follows industry best practices
• Supporting employees across all the information security domains with dedicated subject matter experts

Moreover, our program is subject to annual independent audits for compliance and industry standards certifications, ensuring that our program meets and even exceeds all security requirements.

Information classification

We make use of four different information classification levels:

1. Public

Making the information public cannot harm the organization in any way. The information is publicly available.

2. Internal use

Unauthorized access to information may cause minor damage and/or inconvenience to the organization. This information is available for all employees and selected third parties that need access to the information to perform their tasks.

3. Restricted

Unauthorized access to information may cause serious damage and/or inconvenience to the organization. This information is available only to a limited group of individuals in the organization and a restricted number of external parties.

4. Classified

Unauthorized access to information may cause catastrophic (irreparable) damage to business and/or to the organization's reputation. This information is available only to a limited group of individuals in the organization

Whenever you notice a security issue, or you have any security-related questions, don’t hesitate to contact us via infosec@kadanza.com. Our security team will get back to you as soon as possible.

The Coordinated vulnerability disclosure policy

At Kadanza, we are concerned about the security and integrity of our network systems, databases and the protection of personal data. And while we try to create the most secure platform possible, weak spots might still be possible.

Weak spots can be discovered in two ways: you accidentally run into something during normal use of a digital environment, or you explicitly make an effort to find a weak spot.

We monitor our network ourselves. This means that there is a good chance that a scan will be picked up, that our security staff will investigate this and that unnecessary costs may be incurred.

We also realise that, despite the best intentions and care, a vulnerability may occur in
the security of systems. If you find a weak spot in one of our systems, we would very much like to hear about it. We can then resolve the vulnerability.

We would like to work with you to better protect our customers and our systems.

We ask you:

• To email your findings as soon as possible to infosec@kadanza.com.
• Not to abuse the vulnerability by, for example, downloading, changing or deleting data. We always take your report seriously and will investigate every suspected vulnerability, even without ‘proof’.
• Not to share the problem with others until it has been resolved.
• Not to use attacks on physical security, social engineering or hacking tools, such as vulnerability scanners.
• To provide us with sufficient information to reproduce the problem, so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the
  vulnerability is sufficient, but more may be required for more complex vulnerabilities.

We guarantee you:

• To respond to your report within five working days with our assessment of the
  report, if the vulnerability was already known and logged and an expected date for a solution.
• To treat your report confidentially and  not share your personal data with third parties without your permission.
  • An exception to this is the police and the judiciary, in the event of a report or if data is
    requested.
• To keep you informed of the progress of solving the problem.
• To credit you in our release notes as the discoverer, if you wish, if the reported vulnerability was not yet known.

Unfortunately, it is not possible to rule out legal action against you in advance. We want to be able to weigh each situation separately. We consider ourselves morally obliged to report the problem if we suspect that the weakness or data is being misused, or that you have shared knowledge about the weakness with others. You can rest assured that a chance discovery in our online environment will not lead to a report.

Kadanza does not have an active bounty program in place. As a thank you for your help, we offer our gratitude and credit your name in our release notes for every report of a security problem that is not yet known to us. In case a new critical vulnerability was discovered, we can consider a reward, which is determined by our InfoSec team on a per case basis. The size of the reward will be based on the severity of the leak and the quality of the report.

We strive to resolve all problems as quickly as possible, keep all parties involved
informed and we would like to be involved in any publication about the problem after it has been resolved.

‍