The Klaxoon Trust Center
Depending on the offer subscribed to, user data is hosted in data centers located either in Europe or the USA.
Klaxoon’s platform is operated from Europe.
For Europe-based hosting, European data protection legislation applies (including GDPR compliance).
For USA-based hosting, the same data protection measures as European hosting apply (including CCPA compliance).
Klaxoon users activate their accounts via an activation link received by email.
They protect access to their data by defining a password at the time of their first connection to Klaxoon.
Standard Klaxoon password policy is in line with NIST recommendations: the user has to create a secure passphrase or password with the help of the strength measurement tool provided in the password creation interface. Strength detection is based on length, dictionaries, pattern recognition, or even the use of personally identifiable information.
To facilitate and comply with our customers’ authentication standards, we support SSO integration:
Based on ISO standards, Klaxoon has put in place an official security organization and governance with security top management, security officers, and technical experts involved in daily operations.
We ensure that all new hires are subject to the obligation of contractual confidentiality regarding information to which they have access in the exercise of their mission. They sign an NDA at the time of hiring.
As per applicable laws, checks are performed for all new hires. R&D and administrative personnel go through specific screening before they can access systems and restricted R&D offices.
Klaxoon employees’ contracts include an IT charter outlining their obligations regarding data protection.
An ongoing employee awareness program on data security and privacy is in place.
Security being the top priority at Klaxoon, we apply security best practices in developments contributing to our Security by Design approach and the principle of Defense in Depth.
For its secure SDLC, Klaxoon R&D team uses a methodology based on SCRUM with an integration of security at different stages of the development cycle.
Security is at the heart of the application, Klaxoon implements the best practices recommended by the OWASP SDL (Secure Development Lifecycle) and the ASVS (Application Security Verification Standard) projects, right from the design phase.
Particular attention is given to main applicative risks rankings, such as the OWASP Top 10 projects or the CWE Top 25. Security tests and milestones are integrated within the SDLC, they are carried out by internal security specialists.
Your data is encrypted in transit and at rest using the most robust and reliable encryption techniques and cyphers.
In transit: All exchanges are carried out in HTTPS. The session is encrypted via TLS 1.2 or higher. Only strong ciphers are supported. See the full SSL test report on Qualys SSL Labs (A+ rating).
Server certificates are countersigned by a recognized Certification Authority.
At rest: Users-generated data is encrypted at rest with volume encryption compliant with FIPS 140 standard. Encryption level: AES-256.
Passwords of Klaxoon users are hashed – the algorithm used: Bcrypt.
All payments are processed by our PCI-DSS-certified partner, Klaxoon does not store payment details at any time.
The Klaxoon platform undergoes regular internal penetration tests as part of its S-SDLC.
External penetration tests are performed at least yearly by independent third party organizations certified by the French National Agency for Information Systems Security (ANSSI). We make sure that the auditor follows state-of-the-art methodologies (like PTES, NIST).
The first level of Technical Support is the entry point for any security incident whether it is detected by the customer, internally, or by an external source such as the ANSSI. The incident is traced in the Klaxoon internal incident management tool and taken into account by our security and operations teams. A dedicated email address is set up for reporting any security incident.
Levels 2 and 3 are triggered depending on the severity of the incident. At each level, Klaxoon's CISO and their team supervise the analysis, correction, and communication operations with the customer and/or the authorities.
Klaxoon infrastructure uses the most advanced security measures proposed by our cloud providers including rule-based firewalling, load-balancing, DDoS shield, and intrusion management.
The administration of Klaxoon’s infrastructure is managed by a dedicated team implementing security controls based on ISO 27001 standards. Administration access is performed through secured tunnels, using MFA whenever possible.
Datacenters hosting the service meet Tier III requirements, physical access is controlled and monitored. Our cloud providers hold several certifications including ISO 27001 and SOC, among others.
All administrative events (operating system logs) are monitored and logged.
All access events generated by user actions (web access logs) are also monitored and logged.
Logs are centralized to facilitate analysis and correlation, and archived and encrypted for 12 months on dedicated secure servers.
Automatic vulnerability scans (libraries, middleware, OS) are running on Klaxoon infrastructure. A vulnerability management policy based on recognized standards like CVSS is in place to ensure patching in a timely manner.
Klaxoon platform is scanned continuously 24/7, and each uploaded file is scanned in real time. The malware database is updated on a daily basis.
By default, access to the application is granted either by providing a personal and individual username and password or the available online SSO authentication modes.
Private SSO integration can be proposed (SAML). This authentication mode can be forced for identified users, thus forbidding any other authentication mechanisms.
Once logged in, Klaxoon data is only accessible by its owner/creator, and those to whom it has been shared (e.g. on a Network, all subscribers have access to the data on this Network).
Depending on the offer subscribed to, more advanced filter settings can be proposed for corporate customers (please contact us for more information).
The application allows Klaxoon hosts to invite participants to the activities they create. Each activity can be joined through a unique URL by default. Several mechanisms are natively available to restrict access to Klaxoon activities and associated data:
Depending on the offer subscribed to, some additional restriction measures are available (please contact us for more information on eligibility).
Klaxoon runs a private Bug Bounty program for security researchers to report potential security issues to our security team. You can find the program policy and reporting form here.
Klaxoon service is available and monitored 24/7. Over the last 12 months, measured service availability is above 99.5%.
The infrastructure provides automatic horizontal scalability and high resilience: critical software components are redundant on separate servers.
When available, each deployment is performed in multiple "Availability Zones".
Full backups are saved encrypted to a remote location at least once per day. Transactions are saved continuously.
Backup restoration tests are performed regularly. Backups are kept for 4 weeks.
In the event of a disaster impacting the nominal infrastructures hosting the service, Klaxoon’s Disaster Recovery Plan provides the ability to activate recovery sites.
Disaster recovery SLAs are as follows:
The website (https://klaxoon.com) is operated by Wrike, Inc. registered at 550 West B Street, Floor 4, PMB 2305, San Diego, CA 92101, United States.
Director of publication: Mr Thomas Scott, CEO.
Email address : [email protected]
This website (https://klaxoon.com) is hosted by Webflow, Inc. 398 11th Street, 2nd Floor, San Francisco, CA 94103, [email protected] and for some pages by Amazon Web Services (AWS) whose address is Clonshaugh Road, Clonshaugh, Dublin 17 Ireland (+1 844-902-4700).
The management of personal data complies with applicable data protection laws such as the European General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).
For more information about how we process Personal Data, please read our Privacy Policy and our Data Processing Addendum.
Personal data is hosted on an ISO 27018-certified infrastructure. Users are informed of their rights upon their first connection by reading the End-User Terms and Conditions of Use.
Klaxoon is compliant with SOC2 Type2 standards (Service Organization Control 2, Type 2). An annual audit is performed, addressing the suitability of design and the operating effectiveness of Klaxoon controls. The Type2 report attests to excellence of the controls in the domains of security, availability, and confidentiality.
The administration of Klaxoon infrastructure is managed by a dedicated ISO 27001 certified operations team.
Klaxoon Cloud hosting providers holds several certifications including ISO 27001, ISO 27017 & 27018, ISO 9001, HDS / HDA, PCI, DSS, SOC 1 & 2 among others.
Right from the design stage, the Klaxoon application implements security standards and best practices based on the OWASP SDL, as well as ANSSI and NIST referential.
Klaxoon conducts penetration testing performed by an independent third-party auditor certified by ANSSI.
At Klaxoon, we want to provide a collaborative experience where everyone can easily participate, when information is clear and accessible, when decisions are made with results, when we move forward as a team, whether we are on-site or remotely.
To do so, we make sure that we provide applications accessible to all individuals, including users working with assistive devices, such as speech recognition software and screen readers.
As per Klaxoon roadmap, the target is to gradually reach a high average compliance level on the Klaxoon application and web site overall.
Klaxoon takes the following measures to improve accessibility on our Klaxoon application and on our website:
The Web Content Accessibility Guidelines (WCAG) defines requirements for designers and developers to improve accessibility for people with disabilities. It defines three levels of conformance: Level A, Level AA, and Level AAA.
Klaxoon is partially conformant with WCAG 2.1 level AA and RGAA 4.1. Partially conformant means that some parts of the content do not fully conform to the accessibility standard.
Latest auditing scope includes the login process, homepage, profile menu, and some common functionalities used in Klaxoon activities with a focus on “Board” and “Adventure” activities. Our average compliance score against WCAG 2.1 level AA criterias is currently 87% on this scope.
Accessibility of Klaxoon relies on the following technologies to work with the particular combination of web browser and any assistive technologies or plugins installed on your computer:
These technologies are relied upon for conformance with the accessibility standards used.
Supported browsers: please check the updated list.
Screen readers tested: VoiceOver (best experience with Apple Safari browser), NVDA
Despite our best efforts to ensure accessibility of Klaxoon, there are identified limitations. As part of our accessibility commitment we dedicate a constant effort to improve accessibility and bridge the remaining gaps.
Please contact us at [email protected] if you observe any issue that limits your use of Klaxoon or wish to know more.
If you wish to provide feedback or are interested in helping our team to make Klaxoon an even more accessible product, please get in touch with us at [email protected]
This statement was updated in March 2024.