Security policy

Effective: November 4, 2024

This list may be amended by Koncile at any time, provided that such changes do not substantially reduce the level of security outlined in this document. Any modifications will be communicated to clients and service testers.

I. Technical Security Measures

Authentification

Unique user ID with passwords, including strong authentication, a limit of 5 login attempts before lockout, regular password renewal, and secure password storage.

Optional two-factor authentication (2FA).

Logging of access, anomalies, and security-related events.

Access Logging and Incident Management

Protection of logging equipment against unauthorized access

Retention of logs for 9 months

Regular review of event logs

Development of a detailed incident response plan, including procedures for various scenarios

Regular training for staff on incident response procedures

Access to personal data by authorized personnel only, strictly as necessary for development or maintenance, with internal 2FA authentication

Personal data access restricted to the CTO and Tech Lead, with appropriate justification

Access Logging and Incident Management

Data replication across two nodes for databases and two nodes for AWS storage

Hosting of nodes in a specific data center

Automatic server failover capability

Weekly backups

Weekly verification of recovery process

HTTPS encryption of backups during transfer

Backup replication with access protection managed by AWS rights management system

Hosting & Network

Hosting provided by Amazon Web Services on servers located in the EU, certified ISO 27001 and SOC 2

End-to-end HTTPS encryption for transmission between the server and third parties

Functional segmentation of the Koncile network into sub-networks to ensure security: separation of test and production environments

Koncile back-office isolated from the internet, except for a single proxy entry point

Server synchronization through an AWS server

Segmentation of websites and Wi-Fi networks (HTTPS, TLS)

Restricted access to administrative tools and interfaces

Immediate implementation of critical updates

Data and Traffic Security

Tool for detecting malicious attachments

Data encryption (hashing, secret key protection)

Encryption of hosted data

Data transfer secured with TLS/SSL using HSTS and Perfect Forward Secrecy

Physical Security of Premises and Data Storage Locations

Alarme anti-intrusion

Vidéosurveillance 24/7

Contrôle des accès (badges, portes et armoire fermées à clé, conservation des accès physiques pendant 45 jours)

Supervision des visiteurs

II. Organizational Security

Personnel

Background checks for candidates in compliance with regulations

Confidentiality obligations and IT policy agreement

Mandatory security training for employees

Access rights management

Definition of access profiles

Removal of unnecessary access rights

Staff training on data confidentiality and privacy

Awareness programs on risks to personal freedoms and privacy

Employee confidentiality agreements

Mapping of Data Processing and Compliance Monitoring

Appointment of a Data Protection Officer (DPO)

Subcontracting only to further processors who provide sufficient regulatory assurances

Data protection agreements with subcontractors, in line with Article 28 of the GDPR

Verification of regulatory and security compliance of suppliers when introducing new information system equipment

Inclusion in every contract of data security risk requirements, establishing protocols for interventions in case of a breach

Service Continuity

Security incident response procedure

Security events reported to a designated individual (CTO), and to a second individual (“tech lead”) if the CTO is unavailable

Initial event analysis by a member of the emergency response team

In-depth review by the maintenance team, relevant departments, including legal and communications

Automated security updates to ensure prompt application of patches

Backup restoration tests to confirm their effectiveness in case of disaster

Digital Resources

Centralized device security policy (inventory management, automatic lock, password complexity, firewall, installation restrictions, automatic updates)

Centralized policy defining authorized tools for data processing by type and classification

Controlled access to source code

Peer review of code changes

Centralized access rights management for all SaaS software

For subcontracting: security and compliance verification

Audits

Audits through AWS CloudTrail to assess the security of Koncile’s application and infrastructure

Establishment of a compliance committee for ongoing monitoring of regulatory obligations