TRUST CENTER
Security and Compliance at Kivo
Security and data integrity is at the heart of what we do. We help our customers achieve compliance, and that starts with us.
Our Guiding Principles
Our security policies are based on the following guiding principles:
Risk-Based Approach
Base security decisions on a thorough understanding of the organization's risk profile, identifying and prioritizing risks to information assets, systems, and operations. Align security measures with the organization's risk tolerance and business objectives.
Defense in Depth
Implement multiple layers of security controls across people, processes, and technology to create overlapping defenses. This approach reduces the likelihood of a single point of failure and provides redundancy in case one control is breached.
Least Privilege
Limit access to resources and systems to only those individuals or processes that require it to perform their duties. Follow the principle of least privilege to minimize the potential impact of insider threats and unauthorized access.
Continuous Monitoring and Improvement
Regularly monitor and assess the effectiveness of security controls, incident response procedures, and security posture. Continuously improve security practices based on lessons learned from security incidents, audits, and reviews.
Comprehensive Awareness and Training
Foster a culture of security awareness throughout the organization by providing regular training and educational programs to employees, contractors, and other stakeholders. Encourage individuals to recognize security risks and report incidents promptly.
Incident Response and Resilience
Develop and maintain robust incident response plans and procedures to detect, respond to, and recover from security incidents promptly. Test and refine these plans through regular exercises and simulations to ensure readiness and resilience.
Certifications & Organizations
Industry Expertise
Kivo currently is SOC 2 Type 1 certified. Type 2 certification is in progress as of January 2024. Kivo maintains compliance with the following industry best practices:
- International Council for Harmonisation
- FDA 21 CFR Part 11
- EU Annex 11
- ISO 9001
- Good Clinical Practice
- TMF Reference Model
Data Protection
Data at Rest & In Transit
Data transmission is secured using TLS 1.2. Data replication channels are also encrypted and transmitted via the private AWS connection. All data access requests require an ACL context which contains both the authenticated user and the organization that is requesting the data. These requests are validated via the Kivo permissions system to exclude the possibility of cross-client data leakage. All data at rest is encrypted using AES-256.
Data Segregation
To ensure confidentiality of data within the Electronic Document Management System,customers are prevented from accessing other customers' data through appropriate segmentation controls. All customers receive their own tenant of Kivo and their data is logically separated and not accessible to other tenants to prevent unauthorized access. Data hosted and stored in databases and other storage locations is encrypted through the use of Heroku and AWS provided and managed encryption keys to encrypt data at rest.
Data Backup & Recovery
Customer data and user activity are recorded within Kivo, backed up via Postgres snapshots, and replicated to an additional AWS region for redundancy. Hourly back-ups are performed daily using an automated system and replicated real-time to an additional availability zone. Kivo performs backup restoration testing on a yearly basis to test the integrity and completeness of back-up information.
Data Disposal
Kivo has defined policies that specify the data back-up and retention period, and process to follow for the secure disposal of confidential or sensitive information stored within Kivo. As part of the terms of service which are required to be accepted by customers during initial access to the Kivo, specifics on the disposal and return of confidential information on termination or expiration of contract are included.
Product Security
Development
Kivo has developed a formal SDLC methodology that governs the development, acquisition, implementation, and maintenance of application development. For the Electronic Document Management System, there are separate logical environments that are used to segregate access and between Development, Testing and Production instances. These environments are used to support a consistent code release and change management workflow in order to ensure product enhancements and bug fixes are efficiently and accurately reviewed, prioritized, scheduled, tested, signed-off and approved by senior management before being released into the production environment. Every release is validated, and release notes are provided to all clients as needed.
Access
The Kivo Platform is accessible to all approved user organizations and internal users. All client sessions within Kivo are encrypted through TLS/HTTPS. All sessions are logged and monitored.
Vulnerability Scanning
Vulnerability scans are performed on a weekly basis to identify threats and vulnerabilities to the production systems. Issues identified are analyzed and remediated in a timely manner.
Penetration Testing
Kivo engages with a third party penetration consulting firm (currently Cacilian) at minimum once per year.
Internal Security
Endpoint Protection
Kivo protects all devices for both remote and in-office employees. All corporate devices are managed and are equipped with mobile device management software and anti-malware protection via Bitdefender and Endpoint Central, as well as default settings applied to each device. Protection includes:
- Anti-virus/anti-malware software configured to force updates to definitions on a minimum of a daily basis and to perform file-level scans during any read/write operations.
- Firewalls are enabled to prevent or detect unauthorized or malicious attempts to gain access to the device.
- Operating Systems are kept up to date with security updates being applied in an expedited manner.
- Disk encryption and passwords applied.
Vulnerability Scanning
Vulnerability scans are performed on a weekly basis to identify threats and vulnerabilities to the production systems. Issues identified are analyzed and remediated in a timely manner.
Vendor Security
We conduct a risk-based analysis of all vendors. Depending on risk assessment, a due diligence questionnaire may be sent in lieu of an audit. Ongoing audits are conducted annually. All suppliers are included in the Approved Suppliers List, which is restricted.
Security Education
Kivo provides comprehensive security training to all employees upon onboarding and annually through educational modules within Kivo’s own platform. Important security updates are shared via threat briefings on an ad hoc basis.
Secure Infrastructure Partners
Request a Demo Today
Kivo FAQs
Yes. Kivo is SOC 2 Type 1 Certified. Type 2 Certification is in progress as of January 2024.