Intro

At Kognity we strongly believe that information security is paramount to build trust and make you feel safe and secure when interacting with us. We also strive to be transparent about how we protect your information and our commitment to treat your data safe and sound.

Organisation

Our implementation and design of the information security programme is aligned with accepted and standardised security frameworks, most importantly SOC2, ISO27001 and the NIST Cybersecurity Framework. This gives us structure to work in a standardised way when we protect our organisation and your information. Our information security programme and efforts are lead by our Head of Information Security, who’s also our Data Protection Officer, responsible for, among other things:

• Implementing and ensuring information security at Kognity
• Providing leadership to the enterprise’s information security organisation
• Implementing and ensuring data privacy at Kognity
• Ensuring compliance with laws and regulations
• Raising awareness of risk management
• Monitoring all operations and infrastructure by reviewing alerts and logs to track the organisation’s digital security impact

Our Head of Information Security also operates as our internal Data Protection Officer.

Compliance and certification

• Systems and Organization Controls (SOC) SOC2 Type 2 – Security principles (attested).
  Report available on request subject to customary non-disclosure underwriting.
• Student Privacy Pledge

Guidance from the following standards

The National Institute of Standards and Technology (NIST) Cybersecurity Framework, Version 1.1

The International Organization for Standardization (ISO) Information technology – Security techniques – Information security management systems – Requirements ISO/IEC 27001:2017

Data protection programme

Our core mission is to keep you and your data safe and secure why we deploy our platform on well known and reliable hosting providers. Kognity’s platform runs on an isolated environment and is not accessible to other applications or areas of the system to prevent security and stability issues.

Segmentation of production

Our production environment is completely separate from all other environments and our customers are logically separated from each other.

Data processing

All data that our platform process originates from our customers’ or their users, such as name, email and graduation. All data will be imported from sources that our customers actively choose. We do not process any other data from our customers that is not deemed as necessary for our platform or the delivery of the services.

Data in motion

All data communication to our platform is encrypted by strong Transport Layer Security (TLS) protocol (TLS 1.2 and TLS 1.3).

Data at rest

All of our data at rest is encrypted by a standardised, good and strong encryption called Advanced Encryption Standard (AES) 256 bits.

Risk management

Our risk management framework is aligned with business objectives that establish rules governing how to identify risks, assign risk ownership, how the risks impact the confidentiality, integrity and availability of the information and the method of treatment for identified risks. This is fundamental for classifying and protecting our objectives and delivering on our commitment to you by keeping your data safe and secure. Additionally, risk management is something that is constantly evolving and continuously monitored, included through annual reviews.

Onboarding

When we onboard new staff, they will follow a standardised onboarding process which includes acceptance of our Code of Conduct and key information security policies, for example our Acceptable Use Policy.

Trainings

We have also has adopted an ambitious company-wide training program that includes:
mandatory privacy and information security training for all new joiners
annual mandatory privacy and information security training for all staff (in addition to the new joiner training)
Biannual information security trainings for all of staff

Background checks

All new hires undergo a customary vetting process including reference checks. In addition, any staff that may access user personal data of students are subject to appropriate and recurring criminal background checks.

Offboarding

Our offboarding process follows a standardised offboarding list where we remove access control, ensure return of work equipment and remind the employee that the confidentiality agreement is valid even after the employment is terminated.

Access management

We have designed and implemented the minimum permission levels needed in order to perform job functions. This includes both the breadth of access (what data is available) and the depth of access (what actions the user is able to perform on that data), as per the principles of Privacy by Design.

Authentication

We are enforcing multi-factor authentication on email and corporate accounts, and single-sign-on where MFA is not applicable.

Privileged access

All privileged accounts are carefully monitored and limited to authorised users only.

Access control review

Access control is reviewed on a quarterly basis.

Secure development

All of our tech team members follow a standardised process for coding practices, including industry standards and hygiene factors for releasing new features and other fixes to our production environment.

Coding

Our way of working is based on secure coding development which, among other things, means that no source code will be pushed to the production environment without independent code review, analysis and performance review. Once this is completed, our test suite will be triggered and evaluate the code based on our tests.

Penetration test

Our platform is subjected to a penetration test annually. In addition to the penetration test, the platform is subject to weekly automatic penetration testing and regular third party vulnerability scanning and alerts.

Monitoring

We continuously monitor our platform for any kind of deviation or malicious pattern that may cause disruption for our users.

Incident management

We have established a state of the art incident management process that involves a cross functional team with responsibility to assess, review, classify, escalate and resolve any incident.

Vendor management

Material vendors are reviewed at least annually or as part of the procurement process for new vendors which services could affect the infrastructure of the platform or overall business criticality.

Business Continuity and Disaster Recovery

As we utilise the power of cloud hosting, we can keep the server instances as interchangeable commodities as far as possible and running on high availability plans. This means that the database cluster and management system is designed to increase database availability in the event of hardware or software failure that could potentially lead to downtime or any other disruption.

External Audits

We conduct annual external security audits performed by accredited Auditors.