0

Kotis Security

  • updated 1 yr ago

We know that protecting your data is critical, and as your partner we take our role in that seriously. We maintain a wide array of measures to keep data safe in the constantly changing threat landscape, including industry best practices and third-party partnerships. While this article is an overview, it is not an exhaustive list; our engineering and security teams regularly review the security landscape and update our systems accordingly.


Application Security

It’s important to keep security at the forefront when developing any application. We review security risks at all stages of development, including tools and techniques to enforce that. Some highlights include:

  • Security first mindset
  • Manual and automated code review
  • Automated testing for features and security
  • Monitoring for OWASP Top 10 vulnerabilities
  • Leveraging native framework security capabilities wherever possible
  • Code versioning with ability to revert
  • Automatic dependency notifications
  • All systems and software updated before EOL
  • Using the principle of least privilege
  • Developing with a Secure SDLC

Network and Audits

We rely on Amazon Web Services (AWS) to provide our production environment, and do not have any on premise servers. We utilize AWS for server monitoring, network monitoring, firewalls, and other systems to identify malicious traffic. We use Amazon Machine Imaging for server baselines, and perform quarterly vulnerability scans and annual third party penetration testing to enforce that systems remain protected. We have Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to further detect questionable traffic, and can restrict targeted traffic as needed. We perform an annual SOC2 audit to verify compliance with our policies.


Data Security

Beyond the systems themselves, our security procedures involve how to protect data after it gets collected. Notably, we collect the least amount of information necessary to fulfill our service and do not share or sell it to any third parties except those expressly needed to fulfill our service obligations. Some additional efforts include:

  • Personally Identifiable Information (PII) is automatically pured after required retention periods
  • Data is encrypted in transit and at rest
  • Credit card data (where applicable) is processed by payment industry leader Stripe, and never touches our systems even temporarily
  • User account lockouts after repeated login failures
  • Role based access (with principle of least privilege)
  • Enforce SSO/MFA from all vendors that support it
  • BCDR plan tested at minimum annually
  • Never allow production data for development or testing

GDPR and CCPA

Kotis has access to certain PII simply by the nature of shipping items to end users. As it relates to the General Data Protection Regulation (“GDPR”) by the European Union, Kotis acts as a Processor, and you are the Controller; under the California Consumer Privacy Act (“CCPA”) by the State of California, Kotis is a Service Provider, and you are a Business; for other jurisdictions, we each will have roles that are substantially similar to those held under GDPR and CCPA. Kotis only processes PII for the purposes of providing our contracted service, and will not process it for any other purpose. We sign Data Processing Addendums upon request, and can post your Privacy Policy on any end user portals. Kotis can and will coordinate on Data Subject Requests regardless of whether they are sent to you or directly to Kotis.


Additional Policies

Internal policy documentation, including our SOC2 report, is available upon request with a signed NDA.

  • 1 yr agoLast active
  • 109Views
  • 1 Following