We utilize enterprise-grade best practices to protect our customers.
Our security commitment
To earn and maintain the trust of the world’s most progressive and people-focused companies, Kallidus Inc. takes all reasonable precautions to protect the confidentiality, integrity and availability of all systems and data entrusted to us by our customers and their employees.
Our customers entrust sensitive data to our care and we’ll never stop improving the security, availability, and robustness of our platform.
Kallidus Inc. solutions undergo regular penetration testing and security reviews, designed to be GDPR compliant, and encrypt data at rest and in transit.
Secure and Reliable Infrastructure
Our production systems are hosted on Amazon’s AWS cloud platform and all software, systems and networks are configured with security as a key requirement.
We use the industry-standard, AWS to host our application and data. Our EC2 servers and databases are located in AWS US regions across multiple availability zones (data centers).
We rely on a shared security model to ensure industry standard (ISO 27001 and SOC-2) controls are implemented for data and service security. Amazon provides physical security to our technology systems and we have several architectural controls in place to ensure the same
Our security practices and commitments
All applications and supporting services are hosted on modern, Linux based operating systems and built upon modern application development frameworks.
All production systems are hosted on Amazon’s AWS cloud platform, in US regions.
All software, systems and networks are configured with security as a requirement.
Application design & security
All new application features are developed in a separate environment and rigorously tested before release applying best practices in web application security.
Kallidus’ platforms supports multiple levels of access for administrative functions and are configurable by customer designated Administrators.
All passwords are hashed with the bcrypt algorithm and salted with a unique salt for each hash.
Local account passwords are required to meet minimum length and complexity requirements.
Sapling application, database and software components are all maintained on AWS infrastructure.
Amazon gates their SOC 2 Report and PCI DSS reports, however SOC 3 is a publicly available summary of SOC 2 available without NDA.
The document outlines that AWS meets the AICPA’s Trust Security Principles in SOC 2 and includes the external auditor’s opinion of the operation of controls.
Sensitive information (i.e. Social Security Numbers) are encrypted in our database using the Advanced Encryption Standard (AES).
Software development practices
Kallidus follows secure development practices and provides ongoing training for employees in secure development methodologies.
All role-based access to privileged application functionality is granted on an explicit whitelist basis.
A strict peer-review process is followed for all code changes, including additional security review for changes to sensitive functionality.
Automated security code analysis tools are used to provide ongoing identification of security issues.
Kallidus production environments are fully segregated from corporate, development and test environments.
All of Kallidus’ production web application traffic is inspected by an intrusion detection and prevention system. Any anomalies are logged and suspected attacks create automatic alerts to personnel for investigation, response and resolution.
Host and network based access control lists are used to limit traffic to only necessary systems and services.
Access to Kallidus’ platform is made available only via SSL/TLS supporting secure cipher suites.
Kallidus’ production servers are subjected to regular vulnerability scans and penetration tests from our internal security team.
Patches are applied on a regular basis depending on the assessed level of risk.
Critical vulnerabilities are remediated within 24 hours.
Third-party management, logging and monitoring
Kallidus logs all system and application activity to a centralized logging service where it is monitored.
Kallidus assesses the risk of all new third party services and systems before adoption, and implements contractual, organizational and technical controls commensurate with the assessed risk.
At minimum, all third party services and systems are verified for consistency with this security overview document.
Customer data protection
Access to customer data is tightly controlled with access only granted to users with a business requirement, for example, to provide implementation or support services.
Backups are performed at least 3 times a day.
Upon written request from an authorized customer account representative, customer data will be removed permanently from Kallidus’ production systems and also removed during any backup restoration event.
Enterprise Grade Compliance
SOC 2 Type I: Kallidus has achieved SOC2 Type 1 compliance – a critical security milestone in providing assurance to our customers about Kallidus and Organization controls.
EU GDPR: Kallidus is committed to meeting the requirements of GDPR, and achieved GDPR compliance in May 2018. As a solution partner, Kallidus is a data processor as we support our customers with the processing the data of their employees (classified as data subjects).
Responsible Disclosure Policy
Data security is a top priority for Kallidus, and Kallidus believes that working with skilled security researchers can identify weaknesses in any technology.
If you believe you’ve found a security vulnerability in Kallidus’s service, please notify us by emailing at [email protected]; we will work with you to resolve the issue promptly.