Security

Last Updated: February 26, 2020

Introduction

We at Kritik carry high standards for the security of user data to ensure that all customer data are kept secure and safe. We are committed to adhering to SaaS industry guidelines and practices for maintaining data and information integrity.

Organizational Security

Personnel Security

Security practices apply to all employees, independent contractors and/or anyone with direct access to our internal system/or unescorted access to the office space at Kritik. Every employee must agree to confidentiality terms and pass a background screening before initial access to our internal systems. All-access shall be removed at Kritik immediately upon termination of employment.

Policies and Standards

As part of our Information Security Management System Kritik maintains a set of 9 related policies and procedures. These policies and procedures help ensure that Kritik employees are able to rely on our customers to behave ethically and to ensure our services are operated securely. Those policy topics include but are not limited to:

Authorization/Authentication

Kritik abides by the least privilege principle. Employees have access only to the data that they have to handle in order to fulfill their current job responsibilities. Employees are granted access to a small number of internal systems upon hiring, but the system owner or their direct manager must approve any requests for additional access. Kritik employs multi-factor authentication, where possible, for administrative access to systems containing any sensitive data.

Disaster Recovery and Business Continuity

Kritik has annual reviews and revisions of the disaster recovery and business continuity plans. We use our hosting provider services to distribute our production operations across four separate physical locations and to provide redundant power and connectivity to networks. Kritik also stores backups from our primary operating environment more than 500 kilometers away in a separate location.

Third-Party Service Providers

For certain aspects of our operations, Kritik uses third party providers. Where those organizations can have an impact on the safety of our production environment or customer data, we take appropriate steps to ensure that the security stance of Kritik is maintained. Kritik establishes agreements with all third-party providers that require them to honor our customers ' confidentiality commitments.

Security Incident Response

Kritik has documented policies and procedures for responding to security incidents, including step by step guides. All incidents are managed by our production operations team, which classifies them according to the severity and determines the remedial steps required. These procedures are reviewed annually, and they are updated.

Physical Security

Kritik infrastructure is hosted on Amazon Web Services (AWS). The AWS data centers are equipped with multiple physical barriers of access including:

See this whitepaper for more information on AWS security processes. No Kritik employee has physical access to any AWS data centers, servers, networking equipment, or storage. The Kritik offices are access controlled by electronic access cards.

Technical Security Measures

Data Encryption

Strong encryption is used for all Kritik data in transit over public networks. This includes any and all data transmitted between servers and Kritik clients. Kritik systems support the latest recommended secure cypher suites and allow only encrypted customer traffic.

Data at rest is encrypted using standard FIPS 140-2 for encryption. This includes all relational databases, backups, file stores, etc. Using Hardware Security Modules, keys are generated and never stored alongside any other customer or Kritik data.

Network Security

To ensure customer data is kept separate from test and development data, Kritik divides systems into separate networks. Systems designed for testing and developing activities are hosted in a separate segment of the network and managed in a separate AWS account. Any customer data that is submitted to Kritik may only be stored in our production environment. Administrative access to the environment of production is limited to engineers and to support staff with a specific business need.

Access to the production environment of the Kritik is severely restricted. Most systems can only be accessed on ports 443 or 80 via dedicated load balancers and application servers are all given private, non-routable IP addresses.

Infrastructure

The customer data was processed and logically segregated in multi-tenant datastores. In the code of our application, strict privacy controls exist to ensure data privacy and to avoid cross-customer data access. All the data in our system is tagged by account and each request to our system requires a context for account. Any attempt to tamper with an open session results in all requests being immediately logged out and refused.

Secure Development Lifecycle

Safety is a critical part of the lifecycle of Kritik's software development (SDLC) and our systems are designed to follow OWASP principles. Any and all modifications to the production code or infrastructure of Kritik shall be subject to code review. Kritik's application servers are started from well-known images that are frequently updated with the latest code and operating system patches. To check code changes prior to delivery, Kritik uses different testing environments, manual code reviews and automated static code analysis. We have a continuous deployment model so our customers immediately benefit from improvements in bug fixes and upgrades. In addition, our development process allows for the immediate prioritization of critical updates and remedies for vulnerability. Kritik also employs dependency vulnerability monitoring to ensure that third-party code we rely on does not contain any known security vulnerabilities.

Logging and Monitoring

All-access to production systems is logged and monitored by the operations team at Kritik. To ensure that it meets a legitimate business need, we review and approve each request for elevated access in the production environment and this access expires automatically. Additionally, any direct system access to production servers requires a private key that one of our administrative users has countersigned. Through our on-call rotation, Kritik's operations team provides 24/7 support and we have several dozen alarms in place to ensure that all systems are operating as expected.

File and Database Backups

In addition to daily full snapshots, all production database instances which stream backups via database replicas. These backups are stored in a separate AWS account that is protected by a multi-factor authentication token which is only available to a limited number of executive personnel. For disaster recovery purposes, the file backups are streamed continuously to the same backup account. All backups are encrypted and stored in a different geographical region with separate keys from the original production data. At least annually, Kritik performs backup restoration drills to verify the process and ensure we can recover quickly in the event of a disaster.

Conclusion

Kritik takes the security of the data of its user seriously and we are committed to ensuring that all customer data are kept confidential and secure.