Security Policy

The KEBS development center in Chennai operates under 24×7 security protection, both at the premises and floor levels, ensuring only authorized individuals gain access. The building perimeter is fortified with barriers and guards. On the floor level, security guards and smartcard readers authenticate individuals before entry. Employees access the office using smart cards. Key areas in the office are restricted to authorized personnel.

Documents of importance are securely stored in cabinets, accessible only to pre-authorized individuals. Surveillance cameras monitor the office, with footage periodically reviewed by authorized personnel. Fire alarms and water sprinklers are installed for fire emergencies. A visitor access policy is in place. The office benefits from a 24×7 power supply, backed by an uninterrupted power supply system.

KEBS hosts its applications and data on the industry-leading Google Cloud Platform, known for its rigorous security, availability, and business continuity measures. For in-depth details, refer to the GCP Whitepaper, GCP Trust & Security, and the Forrester Report on Data Security Portfolio Vendors.

All KEBS products are hosted on the Google Cloud Platform, with the infrastructure for databases and application servers overseen by the cloud service provider.

KEBS adopts a comprehensive approach to application security, ensuring that from engineering to deployment, including architecture and quality assurance processes, the highest security standards are met.

The application’s initial protection is provided by GCP’s firewall, designed to counter DDoS attacks and other network intrusions. The second layer of defense is KEBS’s application firewall, which guards against malicious IPs, users, and spam. While the application is accessible only to users with valid credentials, it’s essential to understand that security in cloud-based products is a shared responsibility. All stored account passwords in the application are one-way hashed and salted.

KEBS employs a multi-tenant data model for its applications. Each application operates from an individual virtual private cloud, with each customer identified by a unique tenant ID. The application is meticulously engineered to ensure data retrieval only for the logged-in tenant. No customer can access another’s data. Access to the application by the KEBS development team is controlled, managed, and audited. All access activities are logged for future audits.

KEBS engineers undergo training in secure coding standards and guidelines, ensuring products are developed with security at the forefront. A security review is integral to the application engineering process. This review employs static code analysis tools and manual checks to maintain the highest standards.

Distinct environments are utilized for development and testing. Access to systems is strictly regulated based on the need-to-know principle, with built-in Segregation of Duties, reviewed quarterly.

Beyond functional validation, KEBS’s quality assurance process subjects application updates to rigorous security validation. This process is undertaken by a dedicated app security team, including ethical hackers, aiming to identify vulnerabilities. An application update only receives approval if no vulnerabilities compromising the application or data are found.

Only trusted and authorized engineers handle deployments to production servers. A select few pre-authorized engineers have access to the KEBS production environment. To inspect access logs, engineers must obtain approval from a committee of authorized personnel.

Post-deployment monitoring is conducted by a dedicated 24×7 Network Operations Center (NOC) team, watching for suspicious activities or attacks. The application is designed to detect and alert the NOC and Security Operations Center (SOC) teams about unusual activities and infrastructure load situations. An escalation matrix has been established to address potential contingencies.

Periodic comprehensive application audits are conducted by an information security team. These tests utilize static analysis tools, manual analysis, network penetration tests, and other black box tests to identify vulnerabilities. The security team remains vigilant about common vulnerabilities and exposures, staying updated with the US National Vulnerabilities Database.

KEBS prioritizes the protection and security of its customers’ data. While KEBS manages the security of its application and customer data, individual account provisioning and access management fall under the purview of individual business owners.

The KEBS development team does not access data on production servers. Changes to the application, infrastructure, web content, and deployment processes are extensively documented as part of an internal change control process. The security review ensures compliance with KEBS’s internal Information Security Management System (ISMS) policies.

Customer data collected by the product is limited to names, email addresses, and phone numbers, retained for account creation. KEBS is committed to the integrity and protection of customer data. Data at rest is encrypted using AES-256 bit standards (key strength – 1024) with key management by AWS Key Management Service. All data in transit is encrypted using the FIPS-140-2 standard over a secure socket connection for all accounts hosted on kebs.com.

Application logs are maintained, with incremental data recovery and consistent, cluster-wide snapshots of sharded clusters provided. All database clusters guarantee high availability, backed by an industry-leading uptime SLA of 99.995%. Google Cloud Platform’s redundant architecture ensures real-time data replication across at least two geographically dispersed data centers, connected via multiple encrypted network links and interfaces.

Upon account deletion, all associated data is purged within 50 business days. KEBS also offers data export options for businesses desiring a data backup before deletion. For more details on data deletion, refer to our Privacy Page.

KEBS recognizes the importance of formal procedures, controls, and defined responsibilities for sustained data security and integrity. The company has established clear change management processes, logging and monitoring procedures, and fallback mechanisms as part of its operational security directives. An information security committee oversees and approves all organization-wide security policies.

Operational security encompasses everything from engineer recruitment to training and auditing their work products. The recruitment process includes standard background verification checks on all new hires. All employees receive training on the company’s information security policies and must acknowledge their understanding. Confidential company information is accessible only to select authorized KEBS employees.

Employees must report any suspicious activities or threats. The human resources team enforces disciplinary actions against policy violators. Security incidents can be reported by customers via email: svigneshbarani@kaartech.com.

KEBS maintains an inventory of all information systems used by employees for development, aided by automated probing software that tracks system changes and configurations. Only authorized and licensed software products are installed. No third parties or contractors manage software or information facilities, and no development activity is outsourced. All employee information systems receive management authorization before installation or use.

To test application resilience, KEBS employs external security consultants and ethical hackers to perform penetration tests on architecturally equivalent system copies without actual customer data. The production system remains untouched. Any unauthorized tests on the production environment are detected as intrusions, with the source IP blocked and an alert raised to the NOC and SOC teams.

This section delves into network security from the perspective of the development center and the GCP network where the application is hosted.

The KEBS office network, where updates are crafted, deployed, monitored, and managed, is fortified by industry-grade firewalls and antivirus software. Firewall logs are stored and reviewed periodically. Access to the production environment is via SSH, and remote access is possible only through the office network. Audit logs are generated for each remote user session and reviewed. Additionally, access to production systems always requires multi-factor authentication.

The NOC and SOC teams monitor the infrastructure 24×7 for stability, intrusions, and spam using a dedicated alert system. Every three months, comprehensive vulnerability assessments and penetration tests are conducted. The KEBS application features an in-built spam protection system, while the NOC team oversees and blocks individual accounts and IP addresses attempting unauthorized access.

All KEBS processes and security standards are crafted to meet industry, state, federal, and international regulations. KEBS adheres to strict data security, access, and integrity policies, among other principles defined in the safe harbor framework. The company’s commitment to these standards is detailed in the KEBS Privacy Policy.

For details on our GDPR Compliance, please refer to the provided link.

KEBS values the protection of its customer data. If you discover any issues or vulnerabilities impacting data security or privacy, please email svigneshbarani@kaartech.com with relevant details.

We request that unresolved vulnerabilities not be shared or publicized with third parties. Upon receiving a vulnerability report, the KEBS security team will:

• Acknowledge receipt in a timely manner.
• Investigate the reported issue and provide an estimated resolution timeframe.
• Notify you once the vulnerability has been addressed.