Security policy
Effective: November 4, 2024
This list may be amended by Koncile at any time, provided that such changes do not substantially reduce the level of security outlined in this document. Any modifications will be communicated to clients and service testers.
I. Technical Security Measures
Authentification
Unique user ID with passwords, including strong authentication, a limit of 5 login attempts before lockout, regular password renewal, and secure password storage.
Optional two-factor authentication (2FA).
Logging of access, anomalies, and security-related events.
Access Logging and Incident Management
Protection of logging equipment against unauthorized access
Retention of logs for 9 months
Regular review of event logs
Development of a detailed incident response plan, including procedures for various scenarios
Regular training for staff on incident response procedures
Access to personal data by authorized personnel only, strictly as necessary for development or maintenance, with internal 2FA authentication
Personal data access restricted to the CTO and Tech Lead, with appropriate justification
Access Logging and Incident Management
Data replication across two nodes for databases and two nodes for AWS storage
Hosting of nodes in a specific data center
Automatic server failover capability
Weekly backups
Weekly verification of recovery process
HTTPS encryption of backups during transfer
Backup replication with access protection managed by AWS rights management system
Hosting & Network
Hosting provided by Amazon Web Services on servers located in the EU, certified ISO 27001 and SOC 2
End-to-end HTTPS encryption for transmission between the server and third parties
Functional segmentation of the Koncile network into sub-networks to ensure security: separation of test and production environments
Koncile back-office isolated from the internet, except for a single proxy entry point
Server synchronization through an AWS server
Segmentation of websites and Wi-Fi networks (HTTPS, TLS)
Restricted access to administrative tools and interfaces
Immediate implementation of critical updates
Data and Traffic Security
Tool for detecting malicious attachments
Data encryption (hashing, secret key protection)
Encryption of hosted data
Data transfer secured with TLS/SSL using HSTS and Perfect Forward Secrecy
Physical Security of Premises and Data Storage Locations
Alarme anti-intrusion
Vidéosurveillance 24/7
Contrôle des accès (badges, portes et armoire fermées à clé, conservation des accès physiques pendant 45 jours)
Supervision des visiteurs
II. Organizational Security
Personnel
Background checks for candidates in compliance with regulations
Confidentiality obligations and IT policy agreement
Mandatory security training for employees
Access rights management
Definition of access profiles
Removal of unnecessary access rights
Staff training on data confidentiality and privacy
Awareness programs on risks to personal freedoms and privacy
Employee confidentiality agreements
Mapping of Data Processing and Compliance Monitoring
Appointment of a Data Protection Officer (DPO)
Subcontracting only to further processors who provide sufficient regulatory assurances
Data protection agreements with subcontractors, in line with Article 28 of the GDPR
Verification of regulatory and security compliance of suppliers when introducing new information system equipment
Inclusion in every contract of data security risk requirements, establishing protocols for interventions in case of a breach
Service Continuity
Security incident response procedure
Security events reported to a designated individual (CTO), and to a second individual (“tech lead”) if the CTO is unavailable
Initial event analysis by a member of the emergency response team
In-depth review by the maintenance team, relevant departments, including legal and communications
Automated security updates to ensure prompt application of patches
Backup restoration tests to confirm their effectiveness in case of disaster
Digital Resources
Centralized device security policy (inventory management, automatic lock, password complexity, firewall, installation restrictions, automatic updates)
Centralized policy defining authorized tools for data processing by type and classification
Controlled access to source code
Peer review of code changes
Centralized access rights management for all SaaS software
For subcontracting: security and compliance verification
Audits
Audits through AWS CloudTrail to assess the security of Koncile’s application and infrastructure
Establishment of a compliance committee for ongoing monitoring of regulatory obligations