Kustomer Security
At Kustomer, we believe trust from our customers is paramount. We recognize the importance of providing a top performing application that is continuously available, while protecting your data and keeping it private. Our security consists of layers of protection, starting with team policies and procedures, and incorporates continuous monitoring and automation built into our software development cycle. Our commitment to security extends to our partners and trained third-party security professionals who provide guidance, ensure compliance, and validate security across all areas of the organization.
Data Center and Network Security Protocols
The Kustomer platform runs on AWS in their fully certified data centers and applies security controls and system checks to keep your data safe.
Software Development Security Protocols
Through regular reviews and third-party penetration and monitoring, Kustomer ensures the platform is secure at the code level and throughout the software development lifecycle process.
Platform Security Features
Customers have complete control over their Kustomer platform instance ensuring only credentialed users have access and manage user permissions granularly within the app.
Internal Operations Security Controls
Kustomer applies best practices and controls to reduce social engineering threats and improve the security and awareness of Kustomer employees.
Compliance and Certifications
Kustomer maintains a comprehensive set of IT controls which are regularly audited by independent firms to ensure the company is meeting its compliance obligations. More information on compliance can be found here.
Data Center and Network Security Protocols
Protection | Our network is protected through the use and integration of key AWS security services and other network intelligence technologies that monitor and block malicious traffic and network attacks. Regular third-party audits and penetration tests ensure the effectiveness of our data center and network security protection protocols. |
---|---|
Hosting | The Kustomer platform is fully hosted within Amazon AWS data centers that offer a comprehensive set of security capabilities and have been ISO 27001 and PCI/DSS Service Provider Level 1 certified, as well as maintains SOC II compliance. |
Architecture | Our network security architecture consists of multiple security zones. We apply additional security monitoring and access controls depending on the zone. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. |
Multi-Region Disaster Recovery | Our cloud-based infrastructure runs across multiple regions to enable high availability. Each of our hosting environments has a primary region and a secondary region. In the event of a regional infrastructure service disruption in any of our primary regions, we have the ability to migrate your network traffic to a secondary region. |
Virtual Private Cloud (VPC) | All services are hosted within a VPC exposing only the limited hosts/port mappings required for public API and internal access. |
Firewall | The Kustomer platform’s external endpoints are each protected by an AWS Web Application Firewall (WAF), which protects the platform from common web exploits that could affect availability and security. |
Monitoring | All production network systems, networked devices are constantly monitored by Kustomer. Physical security, power, and internet connectivity are monitored by AWS. |
Intrusion Detection and Protection | Service ingress and egress points are instrumented and monitored to detect anomalous behavior. Monitored 24/7,these systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. |
Penetration Tests | Kustomer partners with third-party vendors to conduct frequent penetration tests on Kustomer’s network, systems, services, and employees. |
Network Vulnerability Scanning | Kustomer regularly conducts network scanning for quick identification of out-of-compliance or potentially vulnerable systems. |
DDoS Protection | Kustomer has architected a multi-layer approach to DDoS mitigation. In addition to other technologies and controls, this approach includes the use of specific AWS DDoS (e.g., AWS WAF, AWS Shield, Amazon GuardDuty) services and other AWS tools that provide even deeper protection against attacks. |
Encryption in Transit | In order to protect data in transit, we use encryption protocols, such as Transport Layer Security (TLS) to protect the transport of data everywhere. This ensures that if hosts are compromised, attackers can not glean information by eavesdropping on network communications. We use certificates to protect communications from interception and misuse, and also have certificate expiration and renewal via automation in place to ensure proper key rotation. |
Encryption at Rest | All data, including backup data is stored using encryption on the volume, disk, or data stored level. |
Software Development Security Protocols
Quality Assurance (QA) | Our QA department reviews and tests our code base to ensure it is secure and stable. Dedicated application security engineers on staff also identify, test, and triage security vulnerabilities in the code. |
---|---|
Penetration Testing | In addition to our extensive internal scanning and testing program, Kustomer employs a third-party security consultancy to conduct biannual penetration tests on our core web application application. |
Vulnerability Scanning | We employ a third-party, security consultancy to continuously scan our core applications against the Open Web Application Security Project (OWASP) Top 10 security risks. Our dedicated product security team tests and works with our engineering teams to remediate any discovered issues. |
Responsible Disclosure Bug Bounty Program | Our Responsible Disclosure Program gives security researchers an avenue for safely testing and notifying Kustomer of security vulnerabilities. |
Separate Environments | Testing and Staging environments are logically separated from the production environment. No client data is used in the development or test environments. |
Platform Security Features
Authentication | We support SSO through the use of OAuth (Google) or SAML Identity Providers. |
---|---|
Single Sign-On (SSO) | SSO allows you to authenticate users in your own systems without requiring them to enter additional login credentials for your Kustomer platform instance. The Kustomer application supports JSON Web Token (JWT), Security Assertion Markup Language (SAML), and Open Authorization (OAuth) through Google. |
Secure Credential Storage | All credentials are stored using SHA256 hashing algorithms with user-specific salts. API tokens, based on JWT-tokens, are validated at runtime and not stored in the system. |
Role Based Access Controls | Access to Kustomer platform data is governed by Role Based Access Control (RBAC), and can be configured to define granular access privileges. |
Transmission Security | All communications with Kustomer’s UI and APIs are encrypted using TLS encryption protocols. |
Filtering | Kustomer Chat can be configured to only allow access from specific domains that you define. |
IP Ranges | Ultimate plan users can create and set allowed IP ranges to secure platform access for agents and team members. |
Internal Operations Security Controls
Security Training | Kustomer has a third-party security consultancy that provides all employees with security awareness training on their first day prior to being given network access. Additionally, employee security trainings are conducted on a biannual basis, and includes secure code training covering OWASP Top 10 security risks, common attack vectors, and security controls. |
---|---|
Information Security Policies | All Kustomer employees must read and acknowledge the information security policies prior to be given network access on their first day. Kustomer information security policies are reviewed and updated on a biannual basis. |
Security Incident Response | Kustomer has a documented incident response plan for all urgent issues that impact the production system. Additionally, Kustomer has a 24/7 Security Incident Response Team (SIRT) that specializes in handling security incidents properly within the organization from containment to notification of impacted users within a specific timeframe. |
Mobile Device Management (MDM) | Kustomer requires all employees to deploy an MDM solution across all of their endpoints, including laptops, tablets, and phones to protect from social engineering attacks as well as lost or stolen devices. |
Endpoint Monitoring | Through a customized set of security monitoring solutions all Kustomer employee endpoints are monitored 24/7 by our security team for any malicious activity. |
Compliance and Certifications
SOC 2 | Kustomer has achieved SOC 2 Type II compliance with zero exceptions in accordance with AICPA Trust Service Principles and Criteria for System and Organization Control. Our complete SOC 2 Type II audit report is available to customers and prospects under NDA by visiting trust.kustomer.com |
---|---|
EU-US and Swiss-US Privacy Shield | TrustArc has reviewed and certified that our policies and procedures comply with EU-US and Swiss-US Privacy Shield requirements and our certifications can be viewed on the Privacy Shield list. |
GDPR | TrustArc has approved EU-US and Swiss-US Privacy Shield certifications, including our compliance with GDPR regulations. Learn more about our GDPR compliance here. |
PCI Level I | Kustomer uses certified PCI Level 1 Service Provider, Zuora, for its billing system. Additionally, Kustomer directly integrates with Zuora using its recommended strategy for PCI compliance, which ensures all pages are served through TLS and no credit card data is routed through Kustomer’s infrastructure. |
ISO 27001 | Kustomer has achieved ISO 27001 certification in accordance with the internationally recognized standard. This certification is verified by Cadence Assurance, an ISO/IEC 27001 accredited Certification Body. The scope of the certification covers the development, operations, maintenance, delivery of the Kustomer Platform. Our ISO certificate is available to customers and prospects under NDA by visiting trust.kustomer.com |
Kustomer Privacy Policy | Review the Kustomer privacy policy here. |