Important information

Information Security

Information Security
Kyloe is committed to protecting the information we handle about individuals, our clients and other companies we work or otherwise interact with. We have embedded measures at every stage of our product and service delivery to protect information against unauthorised processing, accidental loss, destruction, damage, alteration or disclosure, and keep security at the forefront of how we work.

Kyloe are SOC 2 certified. SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. This certification demonstrates that we maintain a high level of information security, ensure sensitive information is handled responsibly, and can better defend ourselves against cyber attacks and breaches.

Kyloe are Cyber Essential certified (certificate ID: 7ab14365-df28-4230-848a-baa7d42c3f2d). With this certification, you can be assured that we have the necessary steps in place to protect our data and systems from cyber threats. The Cyber Essentials scheme is a government-backed initiative that assesses an organisation’s ability to protect itself against cyber threats and prevent the most common cyber-based attacks.

Kyloe is registered with the UK Information Commissioner’s Office under registration number ZA204317
 
 
Our products
 
Our products are hosted in the cloud - we use Amazon AWS, an industry leading platform.

Our products process information (they don’t store it, other than Kyloe DataTools which stores an encrypted (hashed) partial copy of certain data based on customer input).

They are hosted in locations which vary depending on the location of the source data of the client, as shown in this table:
 
Product Customer ATS data location Kyloe data processing location
Kyloe AwesomeDocs North America North America
  UK, Europe Ireland
  Asia-PAC Singapore
Kyloe DataTools All Ireland
Kyloe Workflow North America North America
  UK, Europe Ireland
  Asia-PAC Singapore
Kyloe Client Portal All Ireland
Kyloe’s Services
When we deliver integration and consultancy services, we may process personal data about individuals – this would usually be information a client wants to transfer from a legacy database to a new database. We only process personal data to deliver the services we have agreed with our clients, and we have a deletion policy so we don’t keep personal data for longer than it is needed to deliver our Services.

Where is the information processed?
We use third party providers to help us with our service delivery – they operate in the cloud and have industry leading security controls and certifications. Any personal data we process is hosted in the most suitable location based on the geography of the client and the origin of the source data. 

We are a global company, which means there may be some circumstances when personal data is transferred to a different country as part of our service delivery. Any data transferred outside of the EU will be in accordance with GDPR. Similarly, any data transferring from one country to another will be made in accordance with the applicable data protection laws of the originating country.

If you have specific questions about the processing of your company’s information, please ask us.
Our commitments when we handle personal data
 
  • We don’t keep personal data for longer than we need to
  • Access to personal data is on an ‘as-needed’ basis only
  • We have strict confidentiality provisions in our employment contracts and Agreements we have with clients and service suppliers
  • We only process client data (including personal data) to deliver our commitments under signed Agreements we have with clients
  • We limit access to our systems (both internal and client) to the relevant people who need to deliver on our commitments to our clients
  • We follow industry guidance on the retention and deletion of data
  • We never share personal data with third parties for their own unrelated purposes
The security measures we have in place
 
  • We subscribe to identity management software so we can appropriately secure, restrict, manage and audit access to our internal and client systems
  • We use multi factor authentication and strong passwords on our internal systems
  • We secure our desktop infrastructure behind secure firewalls, protected by anti-virus software (which is automatically updated), and encrypt our hard-drives with Windows 10 professional BitLocker
  • We operate a closed network, meaning there is no direct internet connection into any Kyloe computer
    We conduct an annual penetration test of our products, with an accredited provider to test for vulnerabilities. Identified issues are addressed promptly
  • We control wireless access points with WPA2 security and strong passwords
  • We install all Kyloe computers with remote controlled monitoring
  • We use industry leading cloud service providers (data centres), accredited with industry leading certifications on availability and security, to host and protect the data we handle
  • We use cloud service providers for our internal management of information. They are secured with enterprise grade systems, with audit logging of access, restricted user accounts and data back-up
  • We deliver data security and risk awareness training to all Kyloe employees
  • We keep all Kyloe employees up to date with changes in security standards and legal requirements
  • We operate a ‘shut down’ process for leavers
  • We share information securely
What we expect of our clients
 We ask all of our clients to let us know if they have specific security requests. We also rely on our clients meeting certain obligations – we expect them to:
  • Remember that Kyloe is the data processor (as defined by GDPR) of any personal data provided to us in our role as service provider. The client is the data controller
  • Know that the client is the data controller of any information (including personal information) uploaded to a Kyloe product, or passed to Kyloe for any other reason (including a data migration), and is responsible for its accuracy.
  • Make sure their own internal security measures are appropriate and to meet the legal obligations on the protection of personal information
  • Obtain the necessary consents or waivers from the relevant persons so that Kyloe can deliver any agreed services in accordance with the law
  • Comply with all applicable laws when using Kyloe’s services and products
Information requests
 
We handle access requests in accordance with the applicable law based on the request
 

Reporting a data breach
 
In the event of a data breach, Kyloe will follow the data breach reporting process and inform the regulator or governing body when we are required to do so.

Kyloe has a robust Business Continuity Plan in place that allows us to mitigate and respond quickly to potential risks. In the event of a data breach, Kyloe will follow the data breach reporting process and inform the regulator or governing body when we are required to do so.
 

Questions?
 
If you have any questions, or would like to know more about our security, please ask us. Your Kyloe contact will be happy to assist.
Responsible Disclosure

We recognise the value in the responsible disclosure of any vulnerabilities found within our products. Our Responsible Disclosure Policy is available to view here, and outlines our position and the submission process that should be followed. If you wish to disclose a vulnerability, please send the details to [email protected].

Contact
Have a question about how we can help you? Complete the below form and hit submit - we'll get in...
Digital transformation
A truly custom experience, our consultants listen to your challenges, understand your goals,...
Our story
Our journey began in 2015, in a beautiful group of Scottish islands called Orkney.  The big...