The Klaxoon Trust Center

1.1 Hosting/data residency        

Depending on the offer subscribed to, user data is hosted in data centers located either in Europe or the USA.

Klaxoon’s platform is operated from Europe.

For Europe-based hosting, European data protection legislation applies (including GDPR compliance).

For USA-based hosting, the same data protection measures as European hosting apply (including CCPA compliance).

1.2 Data protection

1.2.1 Access to Klaxoon - login and password policy

Klaxoon users activate their accounts via an activation link received by email.

They protect access to their data by defining a password at the time of their first connection to Klaxoon.

Standard Klaxoon password policy is in line with NIST recommendations: the user has to create a secure passphrase or password with the help of the strength measurement tool provided in the password creation interface. Strength detection is based on length, dictionaries, pattern recognition, or even the use of personally identifiable information.

1.2.2 Delegation of authentication / SSO

To facilitate and comply with our customers’ authentication standards, we support SSO integration:

• Corporate Identity federation (private SSO): specific SSO integration with any SAMLv2 or OIDC-compatible identity provider
• Online Identity federation (public SSOs): several online authentication modes are available to facilitate access to Klaxoon.
  

1.2.3 Security organization and governance

Based on ISO standards, Klaxoon has put in place an official security organization and governance with security top management, security officers, and technical experts involved in daily operations.

1.2.4 Human resource security

We ensure that all new hires are subject to the obligation of contractual confidentiality regarding information to which they have access in the exercise of their mission. They sign an NDA at the time of hiring.

As per applicable laws, checks are performed for all new hires. R&D and administrative personnel go through specific screening before they can access systems and restricted R&D offices.

Klaxoon employees’ contracts include an IT charter outlining their obligations regarding data protection.

An ongoing employee awareness program on data security and privacy is in place.

1.2.5 Security by Design

Security being the top priority at Klaxoon, we apply security best practices in developments contributing to our Security by Design approach and the principle of Defense in Depth.

For its secure SDLC, Klaxoon R&D team uses a methodology based on SCRUM with an integration of security at different stages of the development cycle.

Security is at the heart of the application, Klaxoon implements the best practices recommended by the OWASP SDL (Secure Development Lifecycle) and the ASVS (Application Security Verification Standard) projects, right from the design phase.

Particular attention is given to main applicative risks rankings, such as the OWASP Top 10 projects or the CWE Top 25. Security tests and milestones are integrated within the SDLC, they are carried out by internal security specialists.

1.2.6 Data encryption

Your data is encrypted in transit and at rest using the most robust and reliable encryption techniques and cyphers.
In transit: All exchanges are carried out in HTTPS. The session is encrypted via TLS 1.2 or higher. Only strong ciphers are supported. See the full SSL test report on Qualys SSL Labs (A+ rating).
Server certificates are countersigned by a recognized Certification Authority.

At rest: Users-generated data is encrypted at rest with volume encryption compliant with FIPS 140 standard. Encryption level: AES-256.

Passwords of Klaxoon users are hashed – the algorithm used: Bcrypt.

1.2.7 Payment protection

All payments are processed by our PCI-DSS-certified partner, Klaxoon does not store payment details at any time.

1.2.8 Security audits

The Klaxoon platform undergoes regular internal penetration tests as part of its S-SDLC.

External penetration tests are performed at least yearly by independent third party organizations certified by the French National Agency for Information Systems Security (ANSSI). We make sure that the auditor follows state-of-the-art methodologies (like PTES, NIST).

1.2.9 Incident management

The first level of Technical Support is the entry point for any security incident whether it is detected by the customer, internally, or by an external source such as the ANSSI. The incident is traced in the Klaxoon internal incident management tool and taken into account by our security and operations teams. A dedicated email address is set up for reporting any security incident.

Levels 2 and 3 are triggered depending on the severity of the incident. At each level, Klaxoon's CISO and their team supervise the analysis, correction, and communication operations with the customer and/or the authorities.

1.3 Infrastructure

1.3.1 Secure infrastructure

Klaxoon infrastructure uses the most advanced security measures proposed by our cloud providers including rule-based firewalling, load-balancing, DDoS shield, and intrusion management.

The administration of Klaxoon’s infrastructure is managed by a dedicated team implementing security controls based on ISO 27001 standards. Administration access is performed through secured tunnels, using MFA whenever possible.

Datacenters hosting the service meet Tier III requirements, physical access is controlled and monitored. Our cloud providers hold several certifications including ISO 27001 and SOC, among others.

1.3.2 Traceability

All administrative events (operating system logs) are monitored and logged.

All access events generated by user actions (web access logs) are also monitored and logged.

Logs are centralized to facilitate analysis and correlation, and archived and encrypted for 12 months on dedicated secure servers.

1.3.3 Vulnerability management

Automatic vulnerability scans (libraries, middleware, OS) are running on Klaxoon infrastructure. A vulnerability management policy based on recognized standards like CVSS is in place to ensure patching in a timely manner.

1.3.4 Anti-malware/anti-virus

Klaxoon platform is scanned continuously 24/7, and each uploaded file is scanned in real time. The malware database is updated on a daily basis.

1.4 Standard and optional security features

1.4.1 Authentication & SSO

By default, access to the application is granted either by providing a personal and individual username and password or the available online SSO authentication modes.

Private SSO integration can be proposed (SAML). This authentication mode can be forced for identified users, thus forbidding any other authentication mechanisms.

Once logged in, Klaxoon data is only accessible by its owner/creator, and those to whom it has been shared (e.g. on a Network, all subscribers have access to the data on this Network).

Depending on the offer subscribed to, more advanced filter settings can be proposed for corporate customers (please contact us for more information).

1.4.2 Access to data

The application allows Klaxoon hosts to invite participants to the activities they create. Each activity can be joined through a unique URL by default. Several mechanisms are natively available to restrict access to Klaxoon activities and associated data:

• Activity locking: hosts can disable the option to join an activity via a URL or a session code. Thus, they can manage participants via the Klaxoon interface. Locking can be done at any time during the activity's life.
• Access rights management in Board: fine-tuning of participant interaction possibilities within Boards.
• Klaxoon “Networks”: a set of Klaxoon activities grouped together in a restricted space whose access is managed by the creator of the Network via invitations. The invitations are sent by email, they are personal, non-transferable, and valid only once.
  

Depending on the offer subscribed to, some additional restriction measures are available (please contact us for more information on eligibility).

• Restricting access to members of an entire organization: prevents external users from accessing your organization's activities.
• Restricting file uploads and downloads: removes the option of uploading files during activities for declared users, as well as downloading content from Klaxoon.
• Network/IP restrictions: restricts access to Klaxoon when using network and IP level filters.

1.5 Coordinated Vulnerability Disclosure Policy

Klaxoon has a responsible Coordinated Vulnerability Disclosure policy (CVD) for security researchers interested in reporting potential security issues to the Klaxoon security team.
‍

The policy is available here.

2.1 Availability & scalability

Klaxoon service is available and monitored 24/7. Over the last 12 months, measured service availability is above 99.5%.

The infrastructure provides automatic horizontal scalability and high resilience: critical software components are redundant on separate servers.

When available, each deployment is performed in multiple "Availability Zones".

2.2 Backup

Full backups are saved encrypted to a remote location at least once per day.  Transactions are saved continuously.

Backup restoration tests are performed regularly. Backups are kept for 4 weeks.

2.3 Disaster recovery

In the event of a disaster impacting the nominal infrastructures hosting the service, Klaxoon’s Disaster Recovery Plan provides the ability to activate recovery sites.

Disaster recovery SLAs are as follows:

• Service recovery time (RTO): 72 hours
• Maximum allowable data loss (RPO): 24 hours.

3.6 Legal notice

The website (https://klaxoon.com) is operated by Klaxoon, a SAS company registered at the Rennes Trade and Companies Register under number 511 962 219, whose office is located at 3 avenue Belle Fontaine 35510 Cesson-Sévigné, France, VAT number FR18511962219.

Director of publication: Mr Hervé Simonin, CEO.
Phone number : +33 (0)2 22 74 06 70
Email address : legal@klaxoon.com

This website (https://klaxoon.com) is hosted by Webflow, Inc. 398 11th Street, 2nd Floor, San Francisco, CA 94103, contact@webflow.com and for some pages by Amazon Web Services (AWS) whose address is Clonshaugh Road, Clonshaugh, Dublin 17 Ireland (+1 844-902-4700).

4.1 Personal data compliance

The management of personal data complies with applicable data protection laws such as the European General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).
For more information about how we process Personal Data, please read our Privacy Policy and our Data Processing Addendum.
Personal data is hosted on an ISO 27018-certified infrastructure. Users are informed of their rights upon their first connection by reading the End-User Terms and Conditions of Use.

4.2 Regulations, certifications and standards

4.2.1 Certified cloud operations and hosting

Klaxoon is compliant with SOC2 Type2 standards (Service Organization Control 2, Type 2). An annual audit is performed, addressing the suitability of design and the operating effectiveness of Klaxoon controls. The Type2 report attests to excellence of the controls in the domains of security, availability, and confidentiality.

The administration of Klaxoon infrastructure is managed by a dedicated ISO 27001 certified operations team.

Klaxoon Cloud hosting providers holds several certifications including ISO 27001, ISO 27017 & 27018, ISO 9001, HDS / HDA, PCI, DSS, SOC 1 & 2 among others.

4.2.2 Security design and testing standards

Right from the design stage, the Klaxoon application implements security standards and best practices based on the OWASP SDL, as well as ANSSI and NIST referential.

Klaxoon conducts penetration testing performed by an independent third-party auditor certified by ANSSI.

At Klaxoon, we want to provide a collaborative experience where everyone can easily participate, when information is clear and accessible, when decisions are made with results, when we move forward as a team, whether we are on-site or remotely. 

To do so, we make sure that we provide applications accessible to all individuals, including users working with assistive devices, such as speech recognition software and screen readers. 

As per Klaxoon roadmap, the target is to gradually reach a high average compliance level on the Klaxoon application and web site overall.

5.1 How we support accessibility

Klaxoon takes the following measures to improve accessibility on our Klaxoon application and on our website:

• Include accessibility as part of our mission statement;
• Appoint an accessibility officer & train regularly our teams about accessibility;
• Include individuals with disabilities in our design personas;
• Define a dedicated accessibility roadmap with clear goals and responsibilities;
• Instore a third-party audit.

5.2 Conformance status

The Web Content Accessibility Guidelines (WCAG) defines requirements for designers and developers to improve accessibility for people with disabilities. It defines three levels of conformance: Level A, Level AA, and Level AAA. 

Klaxoon is partially conformant with WCAG 2.1 level AA and RGAA 4.1. Partially conformant means that some parts of the content do not fully conform to the accessibility standard.

Latest auditing scope includes the login process, homepage, profile menu, and some common functionalities used in Klaxoon activities with a focus on “Board” and “Adventure” activities. Our average compliance score against WCAG 2.1 level AA criterias is currently 87% on this scope.

5.3 General accessibility principles and features on Klaxoon application

• High contrast mode: 

1. Accessibility toggle is available from the login form and in the profile section;
2. In Board: "high contrast" mode, "night" mode and adjustable zoom level to further increase readability;

• Keyboard navigation: tab key, shortcut keys;
• Screen reader: all pages are readable by screen reading tools;
• “Skip to content”: to activate the skip to content mode, you need to press TAB key as a first action when reaching the page;
• Heading: HTML page titles (H1, H2…) coherence in all pages;
• Use of ARIA: specific attributes added on HTML pages to improve screen reading experience.

5.4 Technical specifications, compatibility with browsers and assistive technology

Accessibility of Klaxoon relies on the following technologies to work with the particular combination of web browser and any assistive technologies or plugins installed on your computer:

• HTML
• WAI-ARIA
• CSS
• JavaScript

These technologies are relied upon for conformance with the accessibility standards used.

Supported browsers: please check the updated list.

Screen readers tested: VoiceOver (best experience with Apple Safari browser), NVDA

5.5 Limitations and alternatives

Despite our best efforts to ensure accessibility of Klaxoon, there are identified limitations. As part of our accessibility commitment we dedicate a constant effort to improve accessibility and bridge the remaining gaps.

Please contact us at accessibility@klaxoon.com if you observe any issue that limits your use of Klaxoon or wish to know more.

5.6 Feedback

If you wish to provide feedback or are interested in helping our team to make Klaxoon an even more accessible product, please get in touch with us at accessibility@klaxoon.com

This statement was updated in March 2024.