Kustomer Security

At Kustomer, we believe trust from our customers is paramount. We recognize the importance of providing a top performing application that is continuously available, while protecting your data and keeping it private. Our security consists of layers of protection, starting with team policies and procedures, and incorporates continuous monitoring and automation built into our software development cycle. Our commitment to security extends to our partners and trained third-party security professionals who provide guidance, ensure compliance, and validate security across all areas of the organization.

 

Data Center and Network Security Protocols

The Kustomer platform runs on AWS in their fully certified data centers and applies security controls and system checks to keep your data safe.

Software Development Security Protocols

Through regular reviews and third-party penetration and monitoring, Kustomer ensures the platform is secure at the code level and throughout the software development lifecycle process.

Platform Security Features

Customers have complete control over their Kustomer platform instance ensuring only credentialed users have access and manage user permissions granularly within the app.

Internal Operations Security Controls

Kustomer applies best practices and controls to reduce social engineering threats and improve the security and awareness of Kustomer employees.

Compliance and Certifications

Kustomer maintains a comprehensive set of IT controls which are regularly audited by independent firms to ensure the company is meeting its compliance obligations.

Data Center and Network Security Protocols

Protection Our network is protected through the use and integration of key AWS security services and other network intelligence technologies that monitor and block malicious traffic and network attacks. Regular third-party audits and penetration tests ensure the effectiveness of our data center and network security protection protocols.
Hosting The Kustomer platform is fully hosted within Amazon AWS data centers that offer a comprehensive set of security capabilities and have been ISO 27001 and PCI/DSS Service Provider Level 1 certified, as well as maintains SOC II compliance.
Architecture Our network security architecture consists of multiple security zones. We apply additional security monitoring and access controls depending on the zone. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk.
Virtual Private Cloud (VPC) All services are hosted within a VPC exposing only the limited hosts/port mappings required for public API and internal access.
Firewall The Kustomer platform’s external endpoints are each protected by an AWS Web Application Firewall (WAF), which protects the platform from common web exploits that could affect availability and security.
Monitoring All production network systems, networked devices are constantly monitored by Kustomer. Physical security, power, and internet connectivity are monitored by AWS.
Intrusion Detection and Protection Service ingress and egress points are instrumented and monitored to detect anomalous behavior. Monitored 24/7,these systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats.
Penetration Tests Kustomer partners with third-party vendors to conduct frequent penetration tests on Kustomer’s network, systems, services, and employees.
Network Vulnerability Scanning Kustomer regularly conducts network scanning for quick identification of out-of-compliance or potentially vulnerable systems.
DDoS Protection Kustomer has architected a multi-layer approach to DDoS mitigation. In addition to other technologies and controls, this approach includes the use of specific AWS DDoS (e.g., AWS WAF, AWS Shield, Amazon GuardDuty) services and other AWS tools that provide even deeper protection against attacks.
Encryption in Transit In order to protect data in transit, we use encryption protocols, such as Transport Layer Security (TLS) to protect the transport of data everywhere. This ensures that if hosts are compromised, attackers can not glean information by eavesdropping on network communications. We use certificates to protect communications from interception and misuse, and also have certificate expiration and renewal via automation in place to ensure proper key rotation.
Encryption at Rest All data, including backup data is stored using encryption on the volume, disk, or data stored level.


Software Development Security Protocols

Quality Assurance (QA) Our QA department reviews and tests our code base to ensure it is secure and stable. Dedicated application security engineers on staff also identify, test, and triage security vulnerabilities in the code.
Penetration Testing In addition to our extensive internal scanning and testing program, Kustomer employs a third-party security consultancy to conduct biannual penetration tests on our core web application application.
Vulnerability Scanning We employ a third-party, security consultancy to continuously scan our core applications against the Open Web Application Security Project (OWASP) Top 10 security risks. Our dedicated product security team tests and works with our engineering teams to remediate any discovered issues.
Separate Environments Testing and Staging environments are logically separated from the production environment. No client data is used in the development or test environments.


Platform Security Features

Authentication We support SSO through the use of OAuth (Google) or SAML Identity Providers.
Single Sign-On (SSO) SSO allows you to authenticate users in your own systems without requiring them to enter additional login credentials for your Kustomer platform instance. The Kustomer application supports JSON Web Token (JWT), Security Assertion Markup Language (SAML), and Open Authorization (OAuth) through Google.
Secure Credential Storage All credentials are stored using SHA256 hashing algorithms with user-specific salts. API tokens, based on JWT-tokens, are validated at runtime and not stored in the system.
Password Policy The Kustomer application provides three levels of password security, low, medium, and high, as well as the ability to set custom password rules for agents and admins. Only admins can change the password security level. Kustomer also allows for different password security levels to apply to all agents, admins, and collaborators.
Role Based Access Controls Access to Kustomer platform data is governed by Role Based Access Control (RBAC), and can be configured to define granular access privileges.
Transmission Security All communications with Kustomer’s UI and APIs are encrypted using TLS encryption protocols.
Filtering Kustomer Chat can be configured to only allow access from specific domains that you define.


Internal Operations Security Controls

Security Training Kustomer has a third-party security consultancy that provides all employees with security awareness training on their first day prior to being given network access. Additionally, employee security trainings are conducted on a biannual basis, and includes secure code training covering OWASP Top 10 security risks, common attack vectors, security controls, and HIPAA compliance.
Information Security Policies All Kustomer employees must read and acknowledge the information security policies prior to be given network access on their first day. Kustomer information security policies are reviewed and updated on a biannual basis.
Security Incident Response Kustomer has a documented incident response plan for all urgent issues that impact the production system. Additionally, Kustomer has a 24/7 Security Incident Response Team (SIRT) that specializes in handling security incidents properly within the organization from containment to notification of impacted users within a specific timeframe.
Mobile Device Management (MDM) Kustomer requires all employees to deploy an MDM solution across all of their endpoints, including laptops, tablets, and phones to protect from social engineering attacks as well as lost or stolen devices.
Endpoint Monitoring Through a customized set of security monitoring solutions all Kustomer employee endpoints are monitored 24/7 by our security team for any malicious activity.
Office Security We comply with SOC-II requirements by implementing guest management and physical access controls within our offices. We have logging and recording in place to implement and comply with the requirements set by the AICPA. We also use systems that log and monitor access to our facilities. Every employee is required to badge to gain access to our offices.


Compliance and Certifications

SOC 2 Kustomer has achieved SOC 2 Type I compliance in accordance with AICPA Trust Service Principles and Criteria for System and Organization Control and we are actively pursuing SOC 2 Type II compliance. Our complete SOC 2 Type I audit report is available to customers and prospects under NDA by emailing trust@kustomer.com.
EU-US and Swiss-US Privacy Shield TrustArc has reviewed and certified that our policies and procedures comply with EU-US and Swiss-US Privacy Shield requirements and our certifications can be viewed on the Privacy Shield list.
GDPR TrustArc has approved EU-US and Swiss-US Privacy Shield certifications, including our compliance with GDPR regulations. Learn more about our GDPR compliance here.
PCI Level I Kustomer uses certified PCI Level 1 Service Provider, Stripe, for its billing system. Additionally, Kustomer directly integrates with Stripe using its recommended strategy for PCI compliance, which ensures all pages are served through TLS and no credit card data is routed through Kustomer’s infrastructure.
HIPAA Kustomer helps customers fulfill their HIPAA obligations by providing covered entities and business associates with appropriate security configuration options to safeguard protected health information (PHI). Our Business Associate Agreement (BAA) is available to customers upon request in alignment with HIPAA standards. Learn more about Kustomer’s HIPAA compliance here.
Kustomer Privacy Policy Review the Kustomer privacy policy here.

Deliver effortless, personalized customer service.

Request Live DemoView Demo Videos