Kognity Information Security Overview
At Kognity we strongly believe that information security is paramount to build trust and make you feel safe and secure when interacting with us. We also strive to be transparent about how we protect your information and our commitment to treat your data safe and sound.
Our implementation and design of the information security programme is aligned with accepted and standardised security frameworks, most importantly SOC2, ISO27001 and the NIST Cybersecurity Framework. This gives us structure to work in a standardised way when we protect our organisation and your information. Our information security programme and efforts are lead by our Head of Information Security, who’s also our Data Protection Officer, responsible for, among other things:
- Implementing and ensuring information security at Kognity
- Providing leadership to the enterprise’s information security organisation
- Implementing and ensuring data privacy at Kognity
- Ensuring compliance with laws and regulations
- Raising awareness of risk management
- Monitoring all operations and infrastructure by reviewing alerts and logs to track the organisation’s digital security impact
Our Head of Information Security also operates as our internal Data Protection Officer.
Compliance and certification
- Systems and Organization Controls (SOC) SOC2 Type 1 – Security principles (attested)
- Systems and Organization Controls (SOC) SOC2 Type 2 – Security principles (attestation later in 2023)
- Student Privacy Pledge
Guidance from the following standards
The National Institute of Standards and Technology (NIST) Cybersecurity Framework, Version 1.1
The International Organization for Standardization (ISO) Information technology – Security techniques – Information security management systems – Requirements ISO/IEC 27001:2017
Data protection programme
Our core mission is to keep you and your data safe and secure why we deploy our platform on well known and reliable hosting providers. Kognity’s platform runs on an isolated environment and is not accessible to other applications or areas of the system to prevent security and stability issues.
Segmentation of production
Our production environment is completely separate from all other environments and our customers are logically separated from each other.
All data that our platform process originates from our customers’ or their users, such as name, email and graduation. All data will be imported from sources that our customers actively choose. We do not process any other data from our customers that is not deemed as necessary for our platform or the delivery of the services.
Data in motion
All data communication to our platform is encrypted by strong Transport Layer Security (TLS) protocol (TLS 1.2 and TLS 1.3).
Data at rest
All of our data at rest is encrypted by a standardised, good and strong encryption called Advanced Encryption Standard (AES) 256 bits.
Our risk management framework is aligned with business objectives that establish rules governing how to identify risks, assign risk ownership, how the risks impact the confidentiality, integrity and availability of the information and the method of treatment for identified risks. This is fundamental for classifying and protecting our objectives and delivering on our commitment to you by keeping your data safe and secure. Additionally, risk management is something that is constantly evolving and continuously monitored, included through annual reviews.
When we onboard new staff, they will follow a standardised onboarding process which includes acceptance of our Code of Conduct and key information security policies, for example our Acceptable Use Policy.
We have also has adopted an ambitious company-wide training program that includes:
mandatory privacy and information security training for all new joiners
annual mandatory privacy and information security training for all staff (in addition to the new joiner training)
Biannual information security trainings for all of staff
All new hires undergo a customary vetting process including reference checks. In addition, any staff that may access user personal data of students are subject to appropriate and recurring criminal background checks.
Our offboarding process follows a standardised offboarding list where we remove access control, ensure return of work equipment and remind the employee that the confidentiality agreement is valid even after the employment is terminated.
We have designed and implemented the minimum permission levels needed in order to perform job functions. This includes both the breadth of access (what data is available) and the depth of access (what actions the user is able to perform on that data), as per the principles of Privacy by Design.
We are enforcing multi-factor authentication on email and corporate accounts, and single-sign-on where MFA is not applicable.
All privileged accounts are carefully monitored and limited to authorised users only.
Access control review
Access control is reviewed on a quarterly basis.
All of our tech team members follow a standardised process for coding practices, including industry standards and hygiene factors for releasing new features and other fixes to our production environment.
Our way of working is based on secure coding development which, among other things, means that no source code will be pushed to the production environment without independent code review, analysis and performance review. Once this is completed, our test suite will be triggered and evaluate the code based on our tests.
Our platform is subjected to a penetration test annually. In addition to the penetration test, the platform is subject to weekly automatic penetration testing and regular third party vulnerability scanning and alerts.
We continuously monitor our platform for any kind of deviation or malicious pattern that may cause disruption for our users.
We have established a state of the art incident management process that involves a cross functional team with responsibility to assess, review, classify, escalate and resolve any incident.
Material vendors are reviewed at least annually or as part of the procurement process for new vendors which services could affect the infrastructure of the platform or overall business criticality.
Business Continuity and Disaster Recovery
As we utilise the power of cloud hosting, we can keep the server instances as interchangeable commodities as far as possible and running on high availability plans. This means that the database cluster and management system is designed to increase database availability in the event of hardware or software failure that could potentially lead to downtime or any other disruption.
We conduct annual external security audits performed by accredited Auditors.