Kidsloop has implemented the security measures set out below in accordance with industry standards to protect personal information. Kidsloop may update or modify such security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services. The updated version can be found at http://dup.kidsloop.net/global/securitymeasures.
The Kidsloop management team has been actively involved in developing an information security culture within the Group and has a management structure in place to manage the implementation of information security in its services with clear roles and responsibilities within the organization.
Multiple industry best-practice processes and policies exist to ensure the best possible confidentiality, availability and integrity of the platform. These policies are built around strict requirements in a number of areas, such as;
- Information security
- Hosting environment security
- Third party access
- Capacity control
- Change management
- Backup and recovery
- Access control
- Logging and monitoring
- Incident response
- Release management
Information Security team
Kidsloop has a team of Information security experts who are responsible for the overall information security of the organization. Their role include responsibility for;
- Coordinating security related tasks
- Securing corporate environment, network and devices
- Security of the application (in-house penetration testing and application audits)
- Monitoring and logging
- Process and policy management (disaster recovery, path management etc.)
- Training and education of employees, in the field of information security
- Coordinating third-party security audits, and follow up on any findings
- Reviewing code for potential security vulnerabilities.
Roles and responsibilities
All employees have clear roles within the Group and are only given access to data required for their specific role. A limited number of employees have administrative access to our production environment and their rights are strongly regulated and reviewed at set intervals. Any major change to the application, environment or hardware of the production environment is always verified by a minimum of two individuals.
All Kidsloop employees are required to enter into a strict confidentiality agreement. All staff are required to follow corporate policies regarding confidentiality, business ethics and professional standards. Staff involved in securing, handling and processing customer data are required to complete training appropriate for their role.
Strict requirements are in place for any employee, hired consultants or third party requesting access to Kidsloop information systems. Access control is controlled by an authentication system. The user is required to:
- Have management approval for the requested access
- Have strong passwords that are in accordance with the corporate password policy
- Change their password at regular intervals
- Document that the access requested is required for their specific role/task
- Ensure that the device (PC, tablet, cellphone) used is adequately secured, and locked when the user is absent.
Kidsloop employs automatic temporary lock-out of the user terminal if left idle.
Internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process Personal Data. Any changes to data are logged to create an audit trail for accountability.
Kidsloop operates all its customer services from data centres separated from the corporate office work space. Access to data centres is strictly controlled and protected to reduce the likelihood of unauthorized access, fire, flooding or other damage to the physical environment. Physical access to data centres is limited to a small number of employees within Kidsloop and/or its hosting centre providers. Strict security clearances are required and must be approved by security management prior to entering a data centre.
Technical measures – System availability
Kidsloop has implemented industry standard measures to ensure that Personal Data are protected from accidental destruction or loss, including:
- infrastructure redundancy (including full network, power, cooling, database, server and storage redundancy)
- backup is stored at an alternative site and available for restore in case of failure of the primary system.
- appropriate denial-of-service protection
- 365/24/7 personnel on duty to monitor and troubleshoot
Kidsloop has implemented a series of industry standard measures to prevent the Personal Data from being read, copied, altered or deleted by unauthorized parties during transport or at rest. This is accomplished by various industry standard measures including:
- Use of layered firewalls, VPNs and encryption technologies to protect gateways and pipelines
- HTTPS encryption (also referred to as SSL or TLS connection) with secure cryptographic keys
- Remote access to data centres is protected with a number of layers of network security
- Particular sensitive customer data at rest is protected by encryption and/or hashing (pseudonymisation)
- Every decommissioned disk is subject to a disk erasure process according to our “Disk erase policy”, and decommissioning is logged by disk serial number
- Regular third-party security audits (minimum annually), including penetration testing, that are made available to partners
Kidsloop uses only state-of-the-art data centres, with 365/24/7 on-site security and monitoring operations. The data centres are housed in modern fire-resistant facilities that require electronic keycard access, with alarms that are linked to the on-site security operation. Only authorized employees and contractors are permitted to request electronic keycard access to these facilities.
Kidsloop’s Platform(s) is based on industry standard technologies from well-known vendors, including Microsoft, Linux, Dell, Fujitsu, Amazon, Cloudflare, F5 and Cisco. Systems are periodically patched to the latest version to ensure that the latest security enhancements are applied. The platform is in general updated several times per quarter, and bug fixes are released swiftly based on priority, following rigorous quality checks.
Kidsloop has measures in place to minimize the risk of introducing code in its platform that can degrade the security or integrity of the customer services and Personal Data processed. Measures include:
- Regular training of staff
- Code review by security architects
- QA process for rigorous testing of changes prior to deployment
When onboarding sub-processors, Kidsloop performs an audit of the security and privacy practices of sub-processors to ensure sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Kidsloop performs regular security audits of the practices and delivery for existing sub-processors.