Priority security controls from Vanta

These are the most critical controls to ensure Kustomer is protected from common attacks.

MFA on accounts

COMPLETE

Access to sensitive systems and applications requires two factor authentication in the form of user ID, password, OTP and/or certificate.

4 TESTS

MFA on infrastructure provider: Inspected all user accounts with access to company infrastructure and determined that each is configured with MFA.

MFA on infrastructure root account: Inspected the infrastructure root account and confirmed it is configured with MFA.

MFA on GSuite: Inspected all GSuite users and determined that each account is configured with MFA.

MFA on version control tool: Inspected all users of the company's version control tool and determined that each account is configured with MFA.

Password manager

COMPLETE

Company management ensures that a password manager is installed on all company-issued laptops.

2 TESTS

Password managers required: Inspected Kustomer's security policies and determined that employees are required to use a password manager to set, store, and retrieve passwords for cloud services.

Password manager records: Inspected employee computers and determined that each was running a password manager and that employees knew to use it when setting, retrieving, and storing company passwords.

Daily database backups

COMPLETE

Backups are performed daily and retained in accordance with a pre-defined schedule in the Backup Policy.

1 TEST

Company has a Backup Policy: Inspected the Backup Policy and determined it specified how often backups should be made and for how long they should be kept.

SSL used

COMPLETE

The company ensures that all connections to its web application from its users are encrypted.

4 TESTS

SSL configuration has no known issues: Inspected the SSL configurations used to encrypt all data in transit and determined that there are no known issues.

SSL enforced on company website: Observed a user connecting to the company website and application and determined both are reachable exclusively over HTTPS. Further observed that if the user manually edits the URL to start with http://, s/he will be redirected to an https:// URL.

SSL certificate has not expired: Inspected the certificate used to encrypt all data in transit and determined it has not expired.

Strong SSL/TLS ciphers used: Inspected the SSL/TLS ciphers used to encrypt all data in transit and determined that they are all secure.

Unique accounts

COMPLETE

Access to corporate network, production machines, network devices, and support tools requires a unique ID.

11 TESTS

Employees have unique infrastructure accounts: Inspected the configuration for the company's infrastructure tool and confirmed that employees have unique accounts on service.

Employees have unique email accounts: Inspected the configuration for the company's email tool and confirmed that employees have unique accounts on the service.

Employees have unique version control accounts: Inspected the configuration for the company's version control tool and confirmed that employees have unique accounts on the service.

Employees have unique chat accounts: Inspected the configuration for the company's chat tool and confirmed that employees have unique accounts on the service.

Root infrastructure account unused: Inspected the configuration for the company's infrastructure provider confirmed that the root account is not actively used.

Groups manage employee accounts permissions: Inspected the configuration for the company's infrastructure provider and confirmed that permissions are assigned to groups.

Service accounts used: Inspected the configuration for the company's infrastructure provider and confirmed that every account is assigned a role.

Service accounts used (Heroku): Inspected the configuration for the company's infrastructure provider and confirmed that every account is assigned a role.

Old infrastructure accounts disabled: Inspected the configuration for the company's infrastructure provider and confirmed that all IAM users have been active in the past 90 days. Older IAM accounts are disabled.

No user account has a policy attached directly: Inspected the configuration for the company's infrastructure provider and confirmed that permissions are assigned to groups or roles, rather than to individual employee user accounts.

No user account has a policy attached directly (Heroku): Inspected the configuration for the company's infrastructure provider and confirmed that permissions are assigned to groups or roles, rather than to individual employee user accounts.

V 0.1

Vanta report

Vanta tested Kustomer’s security and IT infrastructure to ensure the company has a strong security posture, as defined by industry-standard security standards.

In this report, Vanta:

  • Tests a complete set of security and infrastructure controls that may appear in a SOC 2 audit
  • Identifies gaps and vulnerabilities in infrastructure and processes

This document is updated continuously. As Kustomer improves its security posture, those efforts will be instantly visible.

Intended use

This Vanta Report can be used by:

  • Kustomer to identify issues critical for remediation
  • Kustomer’s customers to understand the company’s security posture

Vanta Report approach: continuous monitoring

Vanta continuously monitors the company’s policies, procedures, and IT infrastructure to ensure the company adheres to industry-standard security, privacy, confidentiality, and availability standards.

To do this, Vanta connects directly to the company’s infrastructure accounts, version control tools, task trackers, endpoints, hosts, HR tools, and internal policies. Vanta then continuously monitors these resources to determine if Kustomer meets the SOC 2 standard.

In compiling this report, Vanta took into account Kustomer’s unique requirements and technical environment, including business model, products and services, and interactions with customer data.

V 1.0

Data and privacy

V 1.1

Customer data policies

2 CONTROLS

Customer data policies

COMPLETE

Company management has approved Kustomer policies that detail how customer data may be made accessible and should be handled. These policies are accessible to all employees and contractors.

2 TESTS

Policies cover employee access to customer data: Inspected Kustomer's security policies and determined they outline requirements for granting employees access to and removing employee access from customer data.

Policies cover employee confidentiality regarding customer data: Inspected Kustomer's security policies and determined they require employees keep confidential any information they learn while handling customer data.

Least-privileged policy for customer data access

COMPLETE

The company authorizes access to information resources, including data and the systems that store or process customer data, based on the principle of least privilege.

1 TEST

Least privileged policy for customer data access: Inspected Kustomer's security policies and determined that they require that employees may only access the customer data they need in order to complete their jobs.

V 1.3

Internal admin tool

1 CONTROl

Require encryption of web-based admin access

COMPLETE

Encryption is used to protect user authentication and administrator sessions of the internal admin tool transmitted over the Internet.

2 TESTS

SSL/TLS on admin page of infrastructure console: Inspected the admin page and log in of the company's Infrastructure as a Service provider and determined that all connections happen over SSL/TLS with a valid certificate from a reliable Certificate Authority.

SSL/TLS on admin page of infrastructure console (Heroku): Inspected the admin page and log in of the company's Infrastructure as a Service provider and determined that all connections happen over SSL/TLS with a valid certificate from a reliable Certificate Authority.

V 2.0

Internal security procedures

V 2.1

Software development life cycle

2 CONTROlS

System changes must be approved

COMPLETE

System changes must be approved by an independent technical resource prior to deployment to production

2 TESTS

Impact of application changes considered: Inspected tickets from the version control system and determined that application changes are evaluated for their potential effect on the company's security commitments.

Impact of network changes considered: Inspected tickets from the version control system and task tracker and determined that network changes are evaluated for their potential effect on the company's security commitments.

Version control tool

COMPLETE

Kustomer uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system administrator.

3 TESTS

Company has a version control system: Inspected the company's version control system and confirmed it is actively used.

Only authorized employees change code: Observed that approved employees can make changes to code on a branch to which he/she had approval.

Only authorized team member access version control: Inspected the users of the company's version control tool and confirmed that all accounts were authenticated to the company's account.

V 2.4

Responsible Disclosure Policy

2 CONTROlS

Disclosure process for customers

COMPLETE

Kustomer provides a process to external users for reporting security, confidentiality, integrity and availability failures, incidents, concerns, and other complaints.

1 TEST

Contact information available to customers: Kustomer has provided a URL to their customer accessible support documentation where support contact information is readily available. Further determined customers and/or associated users are encouraged to contact appropriate Company personnel if they become aware of items such as operational or security failures, incidents, system problems, concerns, or other complaints.

Employee disclosure process

COMPLETE

Kustomer provides a process to employees for reporting security, confidentiality, integrity and availability failures, incidents, and concerns, and other complaints to company management.

1 TEST

Process for responsible disclosure by employees: Inspected Kustomer's security policies and confirmed they detail a process for employees to report security, confidentiality, integrity and availability failures, incidents, and concerns.

V 2.5

Vulnerability management

3 CONTROlS

Annual penetration tests

COMPLETE

Kustomer engages third-parties to conduct penetration tests of the production environment at least annually. Results are reviewed by management and high priority findings are tracked to resolution.

1 TEST

Records of penetration testing: Inspected the report from the company's latest penetration test, which was performed in the last 12 months.

Infrastructure packages checked for vulnerabilities

COMPLETE

Kustomer has implemented a vulnerability management program to detect and remediate system vulnerabilities in software packages used in company infrastructure.

1 TEST

Infrastructure dependencies checked for vulnerabilities: Inspected the configuration for the tool that continuously monitors infrastructure packages and confirmed that it is active and alerts on vulnerabilities.

Network diagram

COMPLETE

Kustomer maintains an accurate network diagram that is accessible to the engineering team and is reviewed by management on an annual basis.

1 TEST

Network diagram: Inspected the diagram of Kustomer's in-scope network and determined it accurately reflected the company's in-scope network.

V 2.6

Security issues

3 CONTROlS

Security issues prioritized

COMPLETE

Security deficiencies tracked through internal tools are prioritized according to their severity by an independent technical resource.

1 TEST

Security issues are prioritized: Inspected the team's task tracker and confirmed security issues are tagged and prioritized accordingly.

Security issues tracked

COMPLETE

Remediation of security deficiencies are tracked through internal tools.

1 TEST

Records of security issues being tracked: Inspected the team's task tracker and confirmed security issues are tracked in a shared issue tracking system.

SLA for security bugs

COMPLETE

Security deficiencies tracked through internal tools are closed within an SLA that management has pre-specified.

1 TEST

SLA for security bugs: Inspected Kustomer's procedure settings in Vanta and determined that an SLA for P0 security bugs was set.

V 2.7

Incident Response Plan

4 CONTROlS

Follow-ups tracked

COMPLETE

Kustomer has implemented an incident response policy that includes creating, prioritizing, assigning, and tracking follow-ups to completion.

1 TEST

Policies for tracking follow-ups to important security items: Inspected the Incident Response Plan and determined that it included a section about tracking follow-ups after incidents.

Incident Response plan

COMPLETE

Kustomer has an established incident response policy that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents.

1 TEST

Company has an Incident Response Plan: Inspected the Incident Response Plan and determined that it outlines formal procedure for responding to security events.

Incident Response team

COMPLETE

Kustomer has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity and confidentiality at Kustomer.

1 TEST

Company Incident Response Plan cites responsible team members: Inspected the Incident Response Plan and determined that it names the individuals responsible for monitoring for and responding to incidents.

Lessons learned

COMPLETE

Kustomer has implemented an incident response policy that includes writing "lessons learned" documents after incidents and sharing them with the broader engineering team.

1 TEST

Incident Response Policy includes Lessons Learned: Inspected the Incident Response Plan and determined that it included a section about writing lessons learned documents after incidents.

V 3.0

Organizational security

V 3.1

Security policies

3 CONTROLS

Change management policy

COMPLETE

Kustomer has developed policies and procedures governing the system development lifecycle, including documented policies for tracking, testing, approving, and validating changes are documented.

1 TEST

Company has a Change Management Policy: Inspected the Change Management Policy and determined that it outlines considerations for planning, design, security, availability, implementation, and maintenance of changes.

Security policies

COMPLETE

Management has approved Kustomer security policies, and all employees agree to these procedures when hired. Management also ensures that security policies are accessible to all employees and contractors.

2 TESTS

Company has security policies: Inspected Kustomer's security policies and determined they outline requirements for securing the company's operations, services, and systems.

Security policies accepted: Inspected records of Kustomer's security policies and determined that all employees have agreed to them.

Security policies reviewed

COMPLETE

Security policies are reviewed at least annually. Policies, procedures and guidelines are created/updated as needed.

1 TEST

Security policies reviewed: Inspected Kustomer's security policies and determined they were reviewed and approved by management.

V 3.2

Security program

3 CONTROlS

Security team

COMPLETE

Kustomer has an assigned security team that is responsible for the design, implementation, management, and review of the organization’s security policies, standards, baselines, procedures, and guidelines.

1 TEST

Policies for a security team: Inspected Kustomer's security policies and determined they identify individuals responsible for the security of the company’s operations, services, and systems.

Security team has communication channel to the CEO

COMPLETE

The security team communicates important information security events to company management in a timely manner.

1 TEST

Security team has a line of communication to the CEO: Inspected Kustomer's security policies and determined that the security team has a direct communication channel to the CEO.

Security training

COMPLETE

Kustomer has established training programs for privacy and information security to help employees understand their obligations and responsibilities to comply with the Company’s security policies and procedures, including the identification and reporting of incidents. All full-time employees are required to complete these trainings annually.

2 TESTS

Policies for security awareness training: Inspected Kustomer's security policies and determined that the security team is responsible for training all employees on security at the company.

Security awareness training selected: Inspected the security awareness training that all employees must complete on hire and confirmed that it provides information related to the tactics that hackers take that could compromise the security of the company’s and its customers' data.

V 3.3

Personnel Security

7 CONTROlS

Acceptable Use Policy

COMPLETE

Kustomer has policies and procedures in place to establish acceptable use of information assets approved by management, posted on the company wiki, and accessible to all employees. All employees must agree to the Acceptable Use Policy on hire.

2 TESTS

Company has an Acceptable Use Policy: Inspected company records and determined a policy that establishes the acceptable use of information assets is in place, has been approved by management, and is accessible to employees.

Employees agree to Acceptable Use Policy: Inspected Kustomer records and determined that all employees had agreed to the company's Acceptable Use Policy.

Annual performance evaluations

COMPLETE

The company evaluates the performance of all employees through a formal, annual performance evaluation.

1 TEST

Performance evaluation process: Inspected records of the company's process for formal performance evaluations and and determined they describe a formal process to evaluate employee competency.

Background checks

COMPLETE

Background checks are performed on new hires before the new hire's start date, as permitted by local laws. The results are reviewed by HR and appropriate action is taken if deemed necessary.

1 TEST

Background checks on new hires: Inspected Kustomer new hires that were granted access to the in-scope systems and determined that a background investigation was performed, as permitted by local laws.

Code of Conduct

COMPLETE

Kustomer has established a code of conduct and requires all employees to agree to it on hire. Management monitors employees' acceptance of the code.

2 TESTS

Company has a Code of Conduct: Inspected the policy that documents the company's Code of Conduct to determine that it was in place and provides guidance on workforce conduct standards.

Employees agree to Code of Conduct: Inspected Kustomer records and determined that all employees had agreed to the company's Code of Conduct on hire.

Data protection policy

COMPLETE

Kustomer has established a Data Protection Policy and requires all employees to agree to it on hire. Management monitors employees' acceptance of the policy.

1 TEST

Company has a Data Protection Policy: Inspected the company's Data Protection Policy to determine that it was in place.

Formal recruiting process

COMPLETE

New hires or internal transfers are required to go through an official recruiting process during which their qualifications and experience are screened to ensure that they are competent to fulfill their responsibilities.

1 TEST

New hire contract: Inspected a sample new hire contract from Kustomer.

Job descriptions

COMPLETE

All positions have a detailed job description that lists qualifications, such as requisite skills and experience, which candidates must meet in order to be hired by Kustomer.

2 TESTS

Job descriptions: Kustomer has provided a URL to their external jobs page.

Engineering job description: Inspected a sample engineering job description from Kustomer.

V 3.5

Endpoints (laptops)

3 CONTROlS

Login password

COMPLETE

Company management ensures that all company-issued laptops use a screensaver lock with a timeout of no more than 60 seconds.

1 TEST

Screensaver lock required on employee computers: Inspected Kustomer's security policies and determined that employee computers must have a login password that activates after the machine had been idle for five minutes or less.

Password manager

COMPLETE

Company management ensures that a password manager is installed on all company-issued laptops.

2 TESTS

Password managers required: Inspected Kustomer's security policies and determined that employees are required to use a password manager to set, store, and retrieve passwords for cloud services.

Password manager records: Inspected employee computers and determined that each was running a password manager and that employees knew to use it when setting, retrieving, and storing company passwords.

Personal firewalls

COMPLETE

Company management ensures that company-issued laptops have a personal firewall.

1 TEST

Personal firewalls required: Inspected Kustomer's security policies and determined that the company required employees to run personal firewall software on any company-owned computer that connects to to the public internet.

V 4.0

Product security

V 4.2

Data encryption

3 CONTROLS

Cryptography policies

COMPLETE

Kustomer has established policies and procedures that govern the use of cryptographic controls.

1 TEST

Company has a Cryptography Policy: Inspected Kustomer's cryptography policies and confirmed they list resources that employees may access to ensure they understand the procedures and their responsibilities.

Customer data encrypted at rest

COMPLETE

Customer data stored in databases is encrypted at rest.

2 TESTS

Customer data is encrypted at rest (Heroku): Inspected the configuration of the SQL database(s) storing customer data and determined that data is encrypted at rest.

Customer data in S3 is encrypted at rest: Inspected the configuration of the S3 bucket(s) storing customer data and determined it is (they are) encrypted at rest.

SSL used

COMPLETE

The company ensures that all connections to its web application from its users are encrypted.

4 TESTS

SSL configuration has no known issues: Inspected the SSL configurations used to encrypt all data in transit and determined that there are no known issues.

SSL enforced on company website: Observed a user connecting to the company website and application and determined both are reachable exclusively over HTTPS. Further observed that if the user manually edits the URL to start with http://, s/he will be redirected to an https:// URL.

SSL certificate has not expired: Inspected the certificate used to encrypt all data in transit and determined it has not expired.

Strong SSL/TLS ciphers used: Inspected the SSL/TLS ciphers used to encrypt all data in transit and determined that they are all secure.

V 4.3

Customer communication

3 CONTROlS

Company commitments explained to customers

COMPLETE

Security commitments are communicated to external users, as appropriate.

1 TEST

MSAs offered to customers: Kustomer's security commitments are included in the Master Service Agreement (MSA), available to authorized customers.

Company has a Privacy Policy

COMPLETE

Kustomer maintains a Privacy Policy that is available to all external users and internal employees, and it details the company's confidentiality and privacy commitments.

1 TEST

Privacy policy publicly available: Kustomer has provided a URL to their public Privacy Policy.

Company has a Terms of Service

COMPLETE

Kustomer maintains a Terms of Service that is available to all external users and internal employees, and the terms detail the company's security and availability commitments regarding the systems. Where the Terms of Service may not apply, the company has Client Agreements or Master Service Agreements in place.

1 TEST

Terms of service publicly available: Kustomer has provided a URL to their public Terms of Service.

V 5.0

Infrastructure security

V 5.1

Authentication and authorization

7 CONTROlS

Access to the infrastructure provider requires approval, is logged, and is updated as needed

COMPLETE

An administrator must approve new-employee access to the infrastructure provider, and access is restricted to authorized personnel. Access approval and modification to access list are logged. Access is removed when appropriate.

1 TEST

AWS accounts reviewed: Inspected access lists for the infrastructure provider and determined that access is limited to authorized personnel and must be approved by an existing administrator.

MFA on accounts

COMPLETE

Access to sensitive systems and applications requires two factor authentication in the form of user ID, password, OTP and/or certificate.

4 TESTS

MFA on infrastructure provider: Inspected all user accounts with access to company infrastructure and determined that each is configured with MFA.

MFA on infrastructure root account: Inspected the infrastructure root account and confirmed it is configured with MFA.

MFA on GSuite: Inspected all GSuite users and determined that each account is configured with MFA.

MFA on version control tool: Inspected all users of the company's version control tool and determined that each account is configured with MFA.

Password policy

COMPLETE

Kustomer has established formal guidelines for passwords to govern the management and use of authentication mechanisms.

3 TESTS

Internal password policy for employee accounts: Inspected the company's internal policy that governs the passwords employees set across services.

Password policy configured for infrastructure: Inspected the configuration of the infrastructure provider's identity and access management tool and determined that a password policy was applied to each user.

Password policy configured for infrastructure (Heroku): Inspected the configuration of the infrastructure provider's identity and access management tool and determined that a password policy was applied to each user.

System access granted

COMPLETE

Access to infrastructure and code review tools is granted to new employees within one week of their start date.

2 TESTS

Infrastructure accounts allocated within one week of request: Inspected logs from Kustomer's task tracker and determined employee access to infrastructure is granted within one week of the initial request.

GitHub accounts allocated within one week of request: Inspected logs from Kustomer's task tracker and determined employee access to the version control tool is granted within one week of the initial request.

Terminated employee access revoked within one business day

COMPLETE

Access to infrastructure and code review tools is removed from terminated employees within one business day.

2 TESTS

Infrastructure accounts removed when employees leave: Inspected logs from the infrastructure provider authorization system and determined employee access to infrastructure is removed within the specified SLA of authorization being rescinded.

Version control accounts removed when employees leave: Inspected company records and determined that terminated employees' accounts were removed from the version control tool within the specified SLA of the employee becoming unauthorized.

Unique accounts

COMPLETE

Access to corporate network, production machines, network devices, and support tools requires a unique ID.

11 TESTS

Employees have unique infrastructure accounts: Inspected the configuration for the company's infrastructure tool and confirmed that employees have unique accounts on service.

Employees have unique email accounts: Inspected the configuration for the company's email tool and confirmed that employees have unique accounts on the service.

Employees have unique version control accounts: Inspected the configuration for the company's version control tool and confirmed that employees have unique accounts on the service.

Employees have unique chat accounts: Inspected the configuration for the company's chat tool and confirmed that employees have unique accounts on the service.

Root infrastructure account unused: Inspected the configuration for the company's infrastructure provider confirmed that the root account is not actively used.

Groups manage employee accounts permissions: Inspected the configuration for the company's infrastructure provider and confirmed that permissions are assigned to groups.

Service accounts used: Inspected the configuration for the company's infrastructure provider and confirmed that every account is assigned a role.

Service accounts used (Heroku): Inspected the configuration for the company's infrastructure provider and confirmed that every account is assigned a role.

Old infrastructure accounts disabled: Inspected the configuration for the company's infrastructure provider and confirmed that all IAM users have been active in the past 90 days. Older IAM accounts are disabled.

No user account has a policy attached directly: Inspected the configuration for the company's infrastructure provider and confirmed that permissions are assigned to groups or roles, rather than to individual employee user accounts.

No user account has a policy attached directly (Heroku): Inspected the configuration for the company's infrastructure provider and confirmed that permissions are assigned to groups or roles, rather than to individual employee user accounts.

Unique SSH

COMPLETE

SSH users use unique accounts to access to production machines. Furthermore, the use of the `root` account is not used.

1 TEST

Employees have unique SSH keys: Inspected the configuration of Kustomer laptops and determined the company has an established key management process in place to support the organization’s use of unique SSH accounts.

V 5.2

Availability

2 CONTROLS

Customers informed of changes

COMPLETE

System changes that may affect security, availability, processing integrity, or confidentiality are communicated to customers and users who will be affected.

1 TEST

Company informs customers of changes that may affect availability and security of the system: Kustomer has provided a URL to their blog, status page, emails, newsletters, and/or support page that describes changes that may affect external user responsibilities.

Load balancer

COMPLETE

Load balancers are used to distribute traffic in a way that increases the reliability and availability of the system.

2 TESTS

Load balancer used: Inspected the company's infrastructure configuration and determined that the company uses load balancers.

Load balancer used (Heroku): Inspected the company's infrastructure configuration and determined that the company uses load balancers.

V 5.3

Backups

2 CONTROlS

Daily database backups

COMPLETE

Backups are performed daily and retained in accordance with a pre-defined schedule in the Backup Policy.

1 TEST

Company has a Backup Policy: Inspected the Backup Policy and determined it specified how often backups should be made and for how long they should be kept.

Storage buckets are versioned

COMPLETE

Storage buckets that contain customer data are versioned.

1 TEST

Storage data versioned or retained (GCP): Inspected the storage bucket configuration and determined that all buckets containing customer data are versioned.

V 5.4

Logging

4 CONTROlS

CloudTrail enabled

COMPLETE

Management has implemented tools to log application state into a system that allows monitoring and ad hoc queries.

2 TESTS

CloudTrail enabled: Inspected network configuration and determined that a service to track user activity and API use across AWS is enabled.

User activity and API use is tracked (Heroku): Inspected network configuration and determined that a service to track user activity and API use across Heroku is enabled.

Logs centrally stored

COMPLETE

The company uses a system that collects and stores server logs in a central location. The system can be queried in an ad hoc fashion by authorized users.

1 TEST

S3 server access logs enabled: Inspected the storage bucket configuration and determined that server access logging is enabled for at least one bucket.

Logs retained for 12 months

COMPLETE

Logging software retains log entries for at least 12 months.

2 TESTS

Logs retained for 365 days: Inspected the configuration of the log aggregation tool and determined that it was set to retain logs for at least 365 days.

Heroku logs archived for 365 days: Inspected the Heroku configuration and determined that apps had either a logging addon that stored logs for at least 365 days or a custom log drain.

VPC Flow Logs enabled

COMPLETE

Management has implemented tools to log network traffic into a system that allows monitoring and ad hoc queries.

1 TEST

VPC Flow Logs enabled: Inspected network configuration and determined that VPC Flow Logs, which capture information about IP traffic going to and from network interfaces in the VPC, are turned on.

V 5.5

Monitoring

4 CONTROlS

Load balancers monitored and alarmed

COMPLETE

Management has implemented tools to monitor Kustomer load balancers and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.

3 TESTS

Load balancer server errors monitored: Inspected the load balancer monitoring configuration and determined that the server error count is monitored, with alerts to appropriate personnel at certain thresholds.

Load balancer unhealthy host count monitored: Inspected the load balancer monitoring configuration and determined that the healthy host count is monitored, with alerts to appropriate personnel at certain thresholds.

Load balancer latency monitored: Inspected the load balancer monitoring configuration and determined that latency is monitored, with alerts to appropriate personnel at certain thresholds.

Message queues monitored and alarmed

COMPLETE

Management has implemented tools to monitor Kustomer messaging queues and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.

1 TEST

Messaging queue message age monitored: Inspected the messaging queue monitoring configuration and determined that message age is is monitored, with alerts to appropriate personnel at certain thresholds.

NoSQL database monitored and alarmed

COMPLETE

Management has implemented tools to monitor Kustomer NoSQL databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.

2 TESTS

NoSQL database read capacity monitored: Inspected the NoSQL database monitoring configuration and determined that read capacity is monitored, with alerts to appropriate personnel at certain thresholds.

NoSQL database write capacity monitored: Inspected the NoSQL database monitoring configuration and determined that write capacity is monitored, with alerts to appropriate personnel at certain thresholds.

Servers monitored and alarmed

COMPLETE

Management has implemented tools to monitor Kustomer servers and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.

1 TEST

Server CPU monitored: Inspected the server monitoring configuration and determined that server CPU use is monitored, with alerts to appropriate personnel at certain thresholds.

V 5.6

Network

2 CONTROlS

Firewalls

COMPLETE

Management uses configurations that ensure only approved networking ports and protocols are implemented, including firewalls.

6 TESTS

Unwanted traffic filtered: Inspected the router configuration and determined that access control lists were used to filter unwanted network traffic.

Unwanted traffic filtered (Heroku): Inspected the router configuration and determined that access control lists were used to filter unwanted network traffic.

Firewall default disallows traffic: Inspected the firewall configuration files for each perimeter device type and determined that they were configured to deny all traffic that is not explicitly allowed.

Firewall default disallows traffic (Heroku): Inspected the firewall configuration files for each perimeter device type and determined that they were configured to deny all traffic that is not explicitly allowed.

Public SSH denied: Inspected the firewall configuration files for each service instance and determined that they were configured to deny public traffic for administrative services like SSH.

Public SSH denied (Heroku): Inspected the firewall configuration files for each service instance and determined that they were configured to deny public traffic for administrative services like SSH.

VPN required for production access

COMPLETE

Users can only access the production system remotely through the use of encrypted communication systems.

1 TEST

Corporate resources protected by VPN: Inspected deployment configuration files and determined that corporate resources are protected with a VPN or other strong network-protection mechanism.

V 5.7

Protecting secrets

1 CONTROL

Credential keys managed

COMPLETE

Kustomer has an established key management process in place to support the organization’s use of cryptographic techniques.

1 TEST

Security policies cover encryption: Inspected the Kustomer's security policies and determined they explain the procedures for encrypting sensitive data.

V 6.0

Physical security

V 6.1

Data center security

1 CONTROL

Physical security

COMPLETE

Kustomer has security policies that have been approved by management and detail how physical security for the company's headquarters is maintained. These policies are accessible to all employees and contractors.

1 TEST

Company has a Physical Security Policy: Inspected Kustomer's physical security policy and determined that it outlines policies for access to the company's physical office.

Appendix A: Definitions

Bug bounty program: A crowdsourcing initiative that rewards individuals for discovering and reporting software bugs, especially those that could cause security vulnerabilities or breaches.

DDoS: Distributed denial of service. A DDoS attack is attack in which multiple compromised computer systems flood a target—such as a server, website, or other network resource—with messages or requests to cause a denial of service for users of the targeted resource.

Multifactor authentication (MFA): A security system that requires multiple methods of authentication using different types of credentials to verify users’ identities before they can access a service.

Penetration test: The practice of testing a computer system, network, or web application to find vulnerabilities that an attacker might exploit.

Principle of least privilege: The principle of giving a user or account only the privileges that are required to perform a job or necessary function.

Protected data: Data that is protected from public view or use; includes personally identifiable information, sensitive data, HIPAA data, or financial data.

Sensitive data: Any information a reasonable person considers private or would choose not to share with the public.

SSH: Secure shell. A cryptographic network protocol for operating network services securely over an unsecured network.

SSL: Secure sockets layer. The standard security technology for establishing an encrypted link between a web server and a browser.

Appendix B: Document history

Vanta continuously monitors the company’s security and IT infrastructure to ensure the company complies with industry-standard security standards. Vanta tests the company’s security posture continuously, and this report is automatically updated to reflect the latest findings.

About Vanta

Vanta provides a set of security and compliance tools that scan, verify, and secure a company’s IT systems and processes. Our cloud-based technology identifies security flaws and privacy gaps in a company’s security posture, providing a comprehensive view across cloud infrastructure, endpoints, corporate procedures, enterprise risk, and employee accounts.

Vanta is based in San Francisco, California and was founded by engineers from Apple and Dropbox.