Security Policy

Security is of utmost importance at Kwench. To ensure the security of user data and our services, we have developed a comprehensive set of practices, policies and technologies to provide the best in class security.

This document outlines some of the mechanisms and processes we have implemented to help ensure that your data is protected.

Security Certifications/Compliances

ISO/IEC 27001 is one of the most widely recognized independent international security standards. This certificate is awarded to organizations that comply with ISO's high global standards. Kwench’s ISO/IEC 27001:2013 certification applies for Applications, Systems, People, Technology, and Processes.

SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the AICPA's Trust Services Principles criteria. Protecting personal information and ensuring safety is core to our services and we are currently SOC2 type 1 certfied and working towards type 2 certification.

The General Data Protection Regulation (GDPR) is a new framework that will harmonize data protection rules across the European Union (EU). It goes into effect on May 25, 2018. The GDPR builds on existing data protection law, while also adding new requirements. As part of GDPR all our clients would act as data controllers and Kwench would work as data processor. This ensures the privacy and lawful use of the user personal information.

National Electronic Security Authority (NESA) information assurance standards provide requirements to implement information security controls to ensure protection of information assets and supporting systems across all entities in the UAE. We are currently working to ensure our compliance with NESA.

Coming Soon - August 2019

Security Practices

Data Security

Our data centers are hosted with some of the most trusted datacenter providers in the world including AWS and IBM Cloud. For physical security of data centers and data we leverage the capabilities of these providers which includes physical security and environmental controls.
As a SaaS service provider the data of all customers is hosted in the same infrastructure. We have processes and procedures in place to limit the access of data using logical segregation ensuring the privacy and security to the client data.

Infrastructure and Network Security

Access to infrastructure and network is granted only on need to know basis with minimum privileges. This ensures that only the users who require access to a system are able to access it. Key-based authentication mechanism is used for login with additional IP based restrictions. To ensure the security of data during transmission secure communication protocols (TLS1.2, SSH, SCP) are used. Data at rest is also encrypted using standard AES 256 encryption. Host based Intrusion Detection (HIDS) and antivirus are installed to secure and proactively monitor any changes in hosting infrastructure. Audit controls and logging is used to review controlled access environment.

People, process and business continuity

While we talk about security and ensuring the privacy and security of data, along with technology, people and processes also play an important role. We have HR policies and practices in place to ensure the recruitment of right candidates and background verification of new employees. Security team ensures the need to know based access to security systems, data centers and applications. As part of Information Security Management System (ISMS) regular audits are conducted to ensure internal compliances are followed across the organization.
For business continuity people, process and technology plays key roles to provide uninterrupted services to client. Kwench offices are based out of different geographic locations in India to ensure service during natural disaster in any one region. For cloud systems backups and BCP plans are in place to provide service in case any interruption from primary location.

Infrastructure and Network Security

It is our core responsibility to keep our customer data safe and secure. If you have discovered a security vulnerability we would greatly appreciate your help in disclosing it to us in a responsible manner. Publicly disclosing a vulnerability may attract more risk for your data and of other users. You can send the details to our security team as
Security vulnerabilities are treated with the utmost importance to ensure the safety and security of our service. We will work with you to assess and understand the scope of the issue and fully address any concerns.