Information Security Policies and Procedures

This Exhibit sets forth Kenna’s data protection and information security for Customer data that is provided and hosted by Kenna and/or and its third party providers. The obligations set out in this Exhibit are in addition to, and shall not limit, any of Kenna’s obligations contained in the Agreement.

  1. Information Security Governance
    1. Kenna will assign clear accountability to information security and provide a designated contact in charge of information security to Customer upon request. The accountable individual will be responsible for (i) answering and addressing all security-related questions from Customer, (ii) ensuring that the security aspects of the services provided to Customer are managed in accordance with the terms of the Agreement and (ii) managing the third party providers activities involved in a potential data/security breach. All Kenna employees shall be cleared through security screening and a lawful background check that includes criminal convictions. All Kenna employees shall participate in security training on an annual basis.
    2. Kenna shall comply with the security principles of ISO27002.
    3. Kenna shall annually perform external assessments of conformance to its own security policies, procedures and availability of control metrics. Kenna may provide documentation on performed internal assessments to Customer upon request including without limitation SOC 2 Type II report (security principle).
    4. Kenna shall have documented disaster recovery (“DR”) plan that will be provided to Customer upon request. The DR plan should specify how often the plan is reviewed and tested and how testing is conducted (informal vs. formal/tabletop vs. full exercise). DR plans shall outline the jurisdiction(s) in which Kenna maintains DR facilities and where Customer data may be stored during a DR situation.
    5. Subject to and without limiting Kenna’s contractual obligations to perform the services in accordance with applicable specifications, services and service levels or similar obligations, Customer must be informed if Kenna conducts DR exercises that may affect Customer data or operations or if Kenna declares a DR situation.
    6. Kenna will ensure that appropriate user awareness procedures are implemented. Where the use of mobile code is authorized, the configuration must ensure that the authorized mobile code operates according to a clearly defined security policy, and unauthorized mobile code is prevented from executing and adversely affecting the confidentiality, integrity or availability of Customer data and services.
  2. Compliance and Audit
    1. Upon notice to Kenna and as mutually agreed, Customer or an affiliate or third party acting on its behalf, may request information on Kenna’s security practices annually in a manner that is not disruptive to Kenna operations to satisfy its assurance requirements.
    2. At Customer’s request, Kenna will submit to third-party security reviews that satisfy the professional requirements of the audit that may be performed by a recognized independent audit organization such as ISO27002:2103, SOC2 Type II (security principle), or substantially equivalent. Such reviews must describe the controls in place by Kenna and certify that the controls have been tested using recognized sampling and testing criteria.
  3. Security and Data Privacy
    1. Kenna will retain all of the data collected and/or received from Customer (or its affiliates or their respective s) for the term of the Agreement or as otherwise specified in the Agreement and respect the intellectual property ownership contained within the data provided, collected, disclosed and/or retained by or on behalf of Customer and/or its affiliates and their respective customers.
    2. Kenna will take appropriate technical, procedural and administrative measures to protect against accidental or unlawful loss, alteration, disclosure and/or access to Customer data.
    3. All Kenna operating systems are hardened to prevent cross-contamination with other environments. Kenna has implemented, the following minimum controls:
      1. Hardened Linux images
      2. Data at rest encrypted using AES 256
      3. All user passwords stored in one-way salted hash
      4. Centralized logging & alerting
      5. All network traffic encrypted via TLS and SSH
      6. All application traffic is over TLS
      7. Three-tiered architecture/ compartmentalized & firewalled
      8. 3 business day patching of all critical vulnerabilities.
      9. Intrusion detection and prevention;
      10. Continual Vulnerability Scanning;
      11. Separate production and development environments.
    4. Kenna will annually conduct third-party penetration testing against the Services, including evidence of data isolation among tenants in any molti-tenant services if relevant. Upon request, Kenna will provide Customer with a summary report of the results of such penetration testing.
    5. Kenna shall ensure that the security of Customer information made available on a publicly available system (e.g., Internet) is protected to prevent unauthorized access or modification. Kenna will ensure that encryption keys used to protect Customer data and communications related to Customer are securely protected against unauthorized access, separation of duties exists, and the keys are recoverable. Key backup and recoverability must be established and tested to ensure continued access to data keys.
    6. Kenna will ensure that security perimeters (barriers such as walls, card controlled entry gates or staffed reception desks) are used to protect areas that contain Customer data, information and information processing facilities.
  4. Service Delivery and Incident Management
    1. Kenna acknowledges that security incidents affecting others in a virtualized environment may affect Customer, and Kenna shall inform Customer of other security incidents while respecting others’ privacy.
    2. Kenna will notify designated Customer personnel within forty-eight (48) hours if a data breach affecting Customer data is confirmed, including what level of cooperation is expected during an investigation.
    3. Kenna will take all appropriate steps to mitigate harm resulting from a data breach or other security incident.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.