LAST UPDATED: April 03, 2024

This Security Statement applies to the products, services, websites, and apps offered by Kabob Cloud Inc., and its affiliates, which are branded as“Kabob Cloud”, except where otherwise noted. We refer to those products, services, websites, and apps collectively as the“services”in this Statement. This Security Statement also forms part of the user agreements for Kabob Cloud customers.

Kabob Cloud values the trust that our customers place in us by letting us act as custodians of their data. We take our responsibility to protect and secure your information seriously and strive for complete transparency around our security practices detailed below. Our Privacy Notice also further details the ways we handle your data.

Kabob Cloud's information systems and technical infrastructure are hosted within world-class, SOC 2 accredited data center (AWS). Physical security controls at these data centers include 24x7 monitoring, cameras, visitor logs, entry limitations, and all that you would expect at a high-security data processing facility.

Kabob Cloud has implemented governance, risk management, and compliance practices that align with the most globally recognized information security frameworks. Kabob Cloud has achieved ISO 27001 certification.

Access to Kabob Cloud's technology resources is only permitted through secure connectivity (e.g., VPN, SSH) and requires multi-factor authentication. Our production password policy requires complexity, expiration, and lockout and disallows reuse. Kabob Cloud grants access on a need-to-know basis, on the basis of least privilege rules, reviews permissions quarterly, and revokes access immediately after employee termination.

Kabob Cloud maintains and regularly reviews and updates its information security policies, at least on an annual basis. Employees must acknowledge policies on an annual basis and undergo additional training pertaining to job function. Training is designed to adhere to all specifications and regulations applicable to Kabob Cloud.

Kabob Cloud conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws and countries). In addition, Kabob Cloud communicates its information security policies to all personnel (who must acknowledge this) and requires new employees to sign non-disclosure agreements, and provides ongoing privacy and security training.

Kabob Cloud has a dedicated Trust & Security organization, which focuses on application, cloud, network, and system security. This team is also responsible for security compliance, education, and incident response.

Kabob Cloud maintains a documented vulnerability management program which includes periodic scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications. All networks, including test and production environments, are regularly scanned using trusted third-party vendors. Critical patches are applied to servers on a priority basis and as appropriate for all other patches.

Kabob Cloud encrypts all data at rest in our data centers using AES 256 based encryption. Additionally, Kabob Cloud encrypts all data in motion using RSA with 2048 bit key length-based certificates generated via a public Certificate Authority, for communications outside Kabob Cloud's data centers, and RSA 256 certificates generated via an Internal Certificate Authority, for all the data within the data center.

Our development team employs secure coding techniques and best practices, focused around the OWASP Top Ten. Developers are formally trained in secure web application development practices upon hire and annually.

Kabob Cloud encrypts all data at rest in our data centers using AES 256 based encryption. Additionally, Kabob Cloud encrypts all data in motion using RSA with 2048 bit key length-based certificates generated via a public Certificate Authority, for comKabob Cloud maintains an asset management policy which includes identification, classification, retention, and disposal of information and assets. Company-issued devices are equipped with full hard disk encryption and up-to-date antivirus software. Only company-issued devices are permitted to access corporate and production networks.munications outside Kabob Cloud's data centers, and RSA 256 certificates generated via an Internal Certificate Authority, for all the data within the data center.

Kabob Cloud maintains a security incident response process that covers the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation. This process is reviewed regularly and tested annually.

Backups are encrypted and stored within the production environment to preserve their confidentiality and integrity. Kabob Cloud employs a backup strategy to ensure minimum downtime and data loss. The Business Continuity Plan (BCP) is tested and updated on a regular basis to ensure its effectiveness in the event of a disaster.

Keeping your data secure also requires that you maintain the security of your account by using sufficiently complex passwords and storing them safely. You should also ensure that you have sufficient security on your own systems. We offer TLS to secure the transmission of survey responses, but you are responsible for ensuring that your services are configured to use that feature where appropriate.

Application and infrastructure systems log information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorized Kabob Cloud personnel. Logs are preserved in accordance with regulatory requirements. We will provide customers with reasonable assistance and access to logs in the event of a security incident impacting their account.