The Klaxoon Trust Center

1.2 Data protection

1.2.1 Access to Klaxoon - login and password policy

Klaxoon users activate their accounts via an activation link received by email.

They protect access to their data by defining a password at the time of their first connection to Klaxoon.

Standard Klaxoon password policy is in line with NIST recommendations: the user has to create a secure passphrase or password with the help of the strength measurement tool provided in the password creation interface. Strength detection is based on length, dictionaries, pattern recognition, or even the use of personally identifiable information.

1.2.2 Delegation of authentication / SSO

To facilitate and comply with our customers’ authentication standards, we support SSO integration:

• Corporate Identity federation (private SSO): specific SSO integration with any SAMLv2-compatible identity provider
• Online Identity federation (public SSOs): several online authentication modes are available to facilitate access to Klaxoon.
  

1.2.3 Security organization and governance

Based on ISO standards, Klaxoon has put in place an official security organization and governance with security top management, security officers, and technical experts involved in daily operations.

1.2.4 Human resource security

We ensure that all new hires are subject to the obligation of contractual confidentiality regarding information to which they have access in the exercise of their mission. They sign an NDA at the time of hiring.

As per applicable laws, checks are performed for all new hires. R&D and administrative personnel go through specific screening before they can access systems and restricted R&D offices.

Klaxoon employees’ contracts include an IT charter outlining their obligations regarding data protection.

An ongoing employee awareness program on data security and privacy is in place.

1.2.5 Security by Design

Security being the top priority at Klaxoon, we apply security best practices in developments contributing to our Security by Design approach and the principle of Defense in Depth.

For its secure SDLC, Klaxoon R&D team uses a methodology based on SCRUM with an integration of security at different stages of the development cycle.

Security is at the heart of the application, Klaxoon implements the best practices recommended by the OWASP SDL (Secure Development Lifecycle) and the ASVS (Application Security Verification Standard) projects, right from the design phase.

Particular attention is given to main applicative risks rankings, such as the OWASP Top 10 projects or the CWE Top 25. Security tests and milestones are integrated within the SDLC, they are carried out by internal security specialists.

1.2.6 Data encryption

Your data is encrypted in transit and at rest using the most robust and reliable encryption techniques and cyphers.
In transit: All exchanges are carried out in HTTPS. The session is encrypted via TLS 1.2 or higher. Only strong ciphers are supported. See the full SSL test report on Qualys SSL Labs (A+ rating).
Server certificates are countersigned by a recognized Certification Authority.

At rest: Users-generated data is encrypted at rest with volume encryption compliant with FIPS 140 standard. Encryption level: AES-256.

Passwords of Klaxoon users are hashed – the algorithm used: Bcrypt.

1.2.7 Payment protection

All payments are processed by our PCI-DSS-certified partner, Klaxoon does not store payment details at any time.

1.2.8 Security audits

The Klaxoon platform undergoes regular internal penetration tests as part of its S-SDLC.

External penetration tests are performed at least yearly by independent third party organizations certified by the French National Agency for Information Systems Security (ANSSI). We make sure that the auditor follows state-of-the-art methodologies (like PTES, NIST).

1.2.9 Incident management

The first level of Technical Support is the entry point for any security incident whether it is detected by the customer, internally, or by an external source such as the ANSSI. The incident is traced in the Klaxoon internal incident management tool and taken into account by our security and operations teams. A dedicated email address is set up for reporting any security incident.

Levels 2 and 3 are triggered depending on the severity of the incident. At each level, Klaxoon's CISO and their team supervise the analysis, correction, and communication operations with the customer and/or the authorities.

1.3 Infrastructure

1.3.1 Secure infrastructure

Klaxoon infrastructure uses the most advanced security measures proposed by our cloud providers including rule-based firewalling, load-balancing, DDoS shield, and intrusion management.

The administration of Klaxoon’s infrastructure is managed by a dedicated team implementing security controls based on ISO 27001 standards. Administration access is performed through secured tunnels, using MFA whenever possible.

Datacenters hosting the service meet Tier III requirements, physical access is controlled and monitored. Our cloud providers hold several certifications including ISO 27001 and SOC, among others.

1.3.2 Traceability

All administrative events (operating system logs) are monitored and logged.

All access events generated by user actions (web access logs) are also monitored and logged.

Logs are centralized to facilitate analysis and correlation, and archived and encrypted for 12 months on dedicated secure servers.

1.3.3 Vulnerability management

Automatic vulnerability scans (libraries, middleware, OS) are running on Klaxoon infrastructure. A vulnerability management policy based on recognized standards like CVSS is in place to ensure patching in a timely manner.

1.3.4 Anti-malware/anti-virus

Klaxoon platform is scanned continuously 24/7, and each uploaded file is scanned in real time. The malware database is updated on a daily basis.

1.4 Standard and optional security features

1.4.1 Authentication & SSO

By default, access to the application is granted either by providing a personal and individual username and password or the available online SSO authentication modes.

Private SSO integration can be proposed (SAML). This authentication mode can be forced for identified users, thus forbidding any other authentication mechanisms.

Once logged in, Klaxoon data is only accessible by its owner/creator, and those to whom it has been shared (e.g. on a Network, all subscribers have access to the data on this Network).

Depending on the offer subscribed to, more advanced filter settings can be proposed for corporate customers (please contact us for more information).

1.4.2 Access to data

The application allows Klaxoon hosts to invite participants to the activities they create. Each activity can be joined through a unique URL by default. Several mechanisms are natively available to restrict access to Klaxoon activities and associated data:

• Activity locking: hosts can disable the option to join an activity via a URL or a session code. Thus, they can manage participants via the Klaxoon interface. Locking can be done at any time during the activity's life.
• Access rights management in Board: fine-tuning of participant interaction possibilities within Boards.
• Klaxoon “Networks”: a set of Klaxoon activities grouped together in a restricted space whose access is managed by the creator of the Network via invitations. The invitations are sent by email, they are personal, non-transferable, and valid only once.
  

Depending on the offer subscribed to, some additional restriction measures are available (please contact us for more information on eligibility).

• Restricting access to members of an entire organization: prevents external users from accessing your organization's activities.
• Restricting file uploads and downloads: removes the option of uploading files during activities for declared users, as well as downloading content from Klaxoon.
• Network/IP restrictions: restricts access to Klaxoon when using network and IP level filters.

1.5 Coordinated Vulnerability Disclosure Policy

Klaxoon has a responsible Coordinated Vulnerability Disclosure policy (CVD) for security researchers interested in reporting potential security issues to the Klaxoon security team.
‍

The policy is available here.

2.1 Availability & scalability

Klaxoon service is available and monitored 24/7. Over the last 12 months, measured service availability is above 99.5%.

The infrastructure provides automatic horizontal scalability and high resilience: critical software components are redundant on separate servers.

When available, each deployment is performed in multiple "Availability Zones".

2.2 Backup

Full backups are saved encrypted to a remote location at least once per day.  Transactions are saved continuously.

Backup restoration tests are performed regularly. Backups are kept for 4 weeks.

2.3 Disaster recovery

In the event of a disaster impacting the nominal infrastructures hosting the service, Klaxoon’s Disaster Recovery Plan provides the ability to activate recovery sites.

Disaster recovery SLAs are as follows:

• Service recovery time (RTO): 72 hours
• Maximum allowable data loss (RPO): 24 hours.

4.1 Personal data compliance

The management of personal data complies with applicable data protection laws such as the European General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).
For more information about how we process Personal Data, please read our Privacy Policy and our Data Processing Addendum.
Personal data is hosted on an ISO 27018-certified infrastructure. Users are informed of their rights upon their first connection by reading the End-User Terms and Conditions of Use.

4.2 Regulations, certifications and standards

4.2.1 Certified cloud operations and hosting

The administration of Klaxoon infrastructure is managed by a dedicated ISO 27001 certified operations team.

Klaxoon Cloud hosting providers holds several certifications including ISO 27001, ISO 27017 & 27018, ISO 9001, HDS / HDA, PCI, DSS, SOC 1 & 2 among others.

4.2.2 Security design and testing standards

Right from the design stage, the Klaxoon application implements security standards and best practices based on the OWASP SDL, as well as ANSSI and NIST referential.

Klaxoon conducts penetration testing performed by an independent third-party auditor certified by ANSSI.