Security
We place great importance on security. Our culture is based on looking at security from a hacker’s point-of-view, and repurposing that perspective to make our platform secure for you. If you have any questions or encounter any problems, please contact us.
Product Security
Black Kite uses a software development life cycle in accordance with Agile principles. With the security effort applied throughout the agile release cycle, security-focused software flaws can be discovered and addressed faster in comparison to lengthier release cycle development methodologies. Software patches are released as part of our continuous integration process. Patches that could affect end users are applied as soon as possible, but may require end-user notification and scheduling a service window.
Black Kite performs continuous integration in order to respond quickly to both functional and security problems. Well-defined change management policies and procedures determine when and how changes occur. This philosophy is at the heart of DevOps security and development methodologies to achieve immediate average resolution time for both vulnerabilities and functional problems. We are constantly improving our DevOps application iteratively.
Physical Security
The Black Kite production infrastructure is hosted in Cloud Service Provider (CSP) environments. Physical and environmental security related controls for Black Kite production servers, which include buildings, locks or keys used on doors, are managed by these CSP’s. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors.
Corporate Security
All Black Kite personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles. Employees that require access to customer data must have an individual account. This account, as well as actions performed with it, will be subject to additional monitoring at the discretion of the management team and subject to applicable regulations and third-party agreements.
At a minimum, employees with access to customer data can expect that their actions in customer data systems (e.g. an internal admin tool) will be logged, with the logs stored centrally for at least six months.
Certifications, Attestations and Frameworks
Black Kite maintains adherence to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) principles, NIST CSF, NIST 888-171 and NIST 800-53.
Laws and Regulations
Black Kite’s solution is compliant with various data protection laws and regulations applicable to the services we provide.
GDPR
Black Kite is compliant with the General Data Protection Regulation (GDPR), which went into effect on May 25, 2018. Black Kite continues to work to enhance its products, processes, and procedures to meet its obligations as a data processor. For more information about our position on the GDPR, please visit the Privacy Policy page.
CCPA
Black Kite does not intend to transfer, process, use, or store personal information. Black Kite provides a CCPA Addendum to allow customers to fulfill their obligations under the CCPA, in the event that personal data is in scope. For more information about how the CCPA impacts Black Kite and its customers, please contact Bob Maley, Chief Security Officer of Black Kite.
Vendor Management
Black Kite leverages a number of third party applications and services to support the delivery of our products to our customers. The Black Kite Security Team recognizes that the company’s information assets and vendor dependencies are critical to our continuing operations and delivery of services. As such, Black Kite’s Security and Privacy teams have established a vendor management program that sets forth the requirements to be established and agreed upon when Black Kite engages with third parties or external vendors. These engagements are designed to assess the technical, physical, and administrative controls in place and to ensure they are commensurate with the expectations of Black Kite and its customers.
Authentication and Access Management
End users may log in to Black Kite using an Identity Provider, leveraging Black Kite’s support for the Security Assertion Markup Language (SAML) or via the “Sign-in with Google” OpenID service. These services authenticate an individual’s identity and may provide the option to share certain personally identifying information with Black Kite, such as your name and email address to pre-populate our registration form. Black Kite’s SAML support allows organizations to control authentication and enforce specific password policies, account recovery strategies and multi-factor authentication technologies.
All requests to the Black Kite API must be authenticated. Requests that write data require a minimum of reporting access and an API key. Requests that read data require full user access as well as an application key. These keys act as bearer tokens allowing access to the Black Kite service functionality.
Protection of Customer Data
Data submitted to the Black Kite service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer data is not authorized to exit the Black Kite production service environment, except in limited circumstances such as in support of a customer request.
All data transmitted between Black Kite and Black Kite users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted the Black Kite application will be inaccessible.
Black Kite maintains distinct data centers in the United States and utilizes encryption at various points to protect customer data and Black Kite secrets, including encryption at rest (e.g. AES-256).
Access to customer data is limited to functions with a business requirement to do so. Black Kite has implemented multiple layers of access controls for administrative roles and privileges. Access to environments that contain customer data requires a series of authentication and authorization controls, including Multi-Factor Authentication (MFA). Black Kite enforces the principles of least privilege and need-to-know for access to customer data, and access to those environments is monitored and logged for security purposes. Black Kite has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms, and enforces full-disk encryption and unique credentials for workstations.
Black Kite monitors critical infrastructure for security-related events by using a custom implementation of open-source and commercial technologies. Activity data such as API calls and operating system level calls are logged to a central point where the information is passed through a series of custom rules designed to identify malicious or unapproved behavior. The results of these rules are fed into an orchestration platform that triggers automated actions, which may include directly alerting the security team or triggering additional authentication requirements.
Report an Issue
If you discover a bug in Black Kite’s platform, please get in touch with Chris Bush, Chief Customer Officer, and expect a response within 24 hours, usually earlier. We request that you not publicly disclose the issue until we have had a chance to address it.