Articles on: Security, Privacy and Compliance

Security & Compliance

Security and compliance are foundational to Kultify's commitment to provide a safe and reliable experience for our customers. We prioritize data security, system reliability, and privacy in everything we do.


Kultify employs industry-standard practices and tools to protect against unauthorized data access, mitigate risks, and ensure business continuity. Our employee training programs reinforce security awareness, while our defined processes ensure data handling compliance with GDPR and other applicable regulations.


Security oversight is directed by Kultify's Chief Technology Officer, Jan Kühnlein, with strong support from cross-functional teams.


Infrastructure and Network Security


Physical Access Control

Kultify's systems and infrastructure are hosted securely within data centers that maintain industry-leading security measures. While Kultify does not directly manage its physical hosting environment, we rely on rigorously vetted EU-based vendors that adhere to stringent security certifications such as ISO 27001 and SOC 2 compliance.


Logical Access Control

Access to Kultify systems is tightly controlled. Employees gain access to infrastructure only through secure methods, including single sign-on (SSO) and two-factor authentication (2FA). Access is granted on a need-to-know basis and regularly reviewed.


Network Security

Kultify's network infrastructure is protected by enterprise-grade stateful firewalls that monitor and control traffic based on predetermined security rules. Only explicitly authorized services and ports are permitted through the firewall. Direct internet access to internal networks is prohibited, and all remote access requires pre-approval and secure VPN connections.


Wireless Network Security

All wireless networks within Kultify's operational environments implement WPA3 encryption with strong authentication mechanisms. Wireless access follows BSI (Bundesamt für Sicherheit in der Informationstechnik) recommendations and requires individual user authentication with rotating certificates.


Penetration Testing

Automated penetration tests and scanning tools, such as those provided by ProjectDiscovery Inc., are regularly utilized to identify and mitigate infrastructure vulnerabilities.


Intrusion Detection and Prevention

Kultify employs robust monitoring solutions to spot suspicious patterns in our systems. Automated alarms notify engineering teams in real time to allow rapid investigation and response.


Business Continuity and Disaster Recovery


High Availability

To ensure availability, Kultify leverages redundant systems and resources to minimize service impact in the event of hardware or software failure. Regular maintenance ensures seamless functionality even during updates.


Backups

Backups of all production systems are encrypted and securely stored offsite in at least two geographically distinct locations. These backups are created daily to ensure comprehensive data protection.


Disaster Recovery

Kultify maintains documented disaster recovery plans that prioritize systems with a recovery time objective (RTO) of less than 48 hours. This includes the ability to restore systems from backups quickly and reconfigure affected applications.


Data Flow


Data In

Data processing is aligned with GDPR standards and restricted to necessary information transmitted securely via TLS-encrypted channels. Additionally, Kultify encourages customers to follow security best practices, such as using data scrubbing to remove sensitive information where possible.


Data Transit

All data flowing between our services is encrypted using industry-standard protocols. These include AES-256 bit encryption for data at rest and TLS for data in transit.


Data Out

Kultify restricts data access to authorized personnel and provides customers with straightforward integration options with third-party tools to facilitate secure workflows. Access is carefully monitored for compliance.


Data Security and Privacy


Data Classification and Handling

Kultify maintains a comprehensive data classification system that categorizes information based on sensitivity levels. All data is treated as confidential by default unless explicitly marked as public. Employees receive clear guidelines on appropriate handling procedures for each classification level, including specific protocols for transmission, storage, and disposal.


Data Encryption

Customer data is encrypted at all stages: in transit using TLS, and at rest using AES-256 bit encryption. Only dedicated and secured storage solutions are used for data handling.


Data Retention

Kultify retains customer data only as long as necessary for service delivery or according to agreed schedules. Specific data removal requests are honored promptly.


Secure Data Disposal

When IT equipment containing sensitive data requires repair or disposal, Kultify ensures complete data sanitization through cryptographic erasure and physical destruction methods. All storage media undergoes secure wiping procedures before equipment leaves our control.


Access Control

Access to customer production data is limited exclusively to Kultify's internal development team. Administrative actions require dual authorization (4-eyes principle) to ensure accountability and security.


Compliance with GDPR

Kultify adheres to GDPR and other applicable data protection laws. Formal Data Processing Agreements (DPAs) are in place with all third-party vendors.


Application Security


Secure Application Development

Kultify follows industry best practices for application security, including:

  • Regular automated static application security testing (SAST).
  • Software Composition Analysis (SCA) to detect vulnerabilities in third-party code.
  • Version control systems to ensure code integrity during development.


Multi-Factor Authentication

Access to both Kultify systems and third-party integrations is protected by 2FA. This adds an extra layer of security for all accounts and prevents unauthorized login attempts.


Malware Protection

All endpoints and servers are equipped with enterprise-grade antivirus solutions that provide real-time scanning (on-access) and cannot be disabled by users. Virus definitions are updated automatically and maintained current at all times.


Email Security

Kultify safeguards its email communications through industry-standard measures to protect against spoofing, phishing, and other malicious email threats. We implement Sender Policy Framework (SPF) records and Domain-based Message Authentication, Reporting, and Conformance (DMARC). SPF ensures that only authorized servers can send emails on behalf of our domain, while DMARC provides authentication and reporting mechanisms to prevent email spoofing and unauthorized email use. These practices significantly reduce the risk of phishing attacks and ensure that our customers can trust emails originating from Kultify.


Audit Controls

We know user administration is central to security and management, and auditing user logs is often the first step in both an emergency response plan and policy compliance requirements. All enterprise customers get admin controls governing identity, access, and usage to keep your data safe, secure, and centrally managed. (Coming soon)


Membership within Kultify is handled at the organization level. The system is designed so each user has a singular account that can be reused across multiple organizations (even those using SSO)

Access to organizations is dictated by role:


  • Admin
  • User


Corporate Security


Workforce Identity and Management

Kultify employs a single sign-on (SSO) platform for centralized user authentication and authorization management. Role-based access control (RBAC) ensures users only access resources pertinent to their roles. Access privileges are reviewed regularly.


Employee Security Requirements


Confidentiality Agreements

All Kultify employees sign comprehensive confidentiality agreements as part of their employment contracts. These agreements cover data protection, intellectual property protection, and information security obligations that extend beyond employment termination. Employees are specifically trained on GDPR requirements and customer data handling procedures.


Security Training and Awareness

Kultify cultivates a strong culture of security awareness by providing ongoing training for employees. Topics covered include:

  • Use of password managers to generate and store secure passwords.
  • Guidelines for handling customer and personally identifiable information (PII).
  • Best practices for locking workstations and securing devices.
  • Regular security awareness updates and phishing simulation exercises.


Secure Workplace Practices

All employees are required to follow secure workplace protocols including:

  • Automatic session logout after periods of inactivity
  • Mandatory screen locking when leaving workstations unattended
  • Immediate removal of confidential documents from printers and peripheral devices
  • Clean desk policy for sensitive information


Employee Offboarding

When employees leave Kultify, comprehensive offboarding procedures ensure immediate revocation of all system access, return of company devices, and confirmation of continued confidentiality obligations. Physical access cards and credentials are deactivated within 24 hours of termination.


IT Security Policies


Device and Asset Management

All company devices are configured with:

  • Full-disk encryption using industry-standard algorithms
  • Automatic security updates and patch management
  • Prohibition of personal software installation without approval
  • Boot security measures preventing unauthorized operating system access


Acceptable Use Policy

Company IT resources are designated for business use only. Personal use of company devices and systems is strictly prohibited. Employees may not connect personal devices to corporate networks or use personal cloud services for business data.


Password and Authentication Policy

Kultify enforces strong password requirements including:

  • Mandatory use of approved password managers
  • Multi-factor authentication for all critical system access


Endpoint Security

All employee devices are configured using secure-by-default measures, including full-disk encryption and the enforcement of system updates.


Security Policies

Kultify maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps. An overview of specific security policies is available to Kultify enterprise customers upon request:


  • Access
  • Change Management
  • Data Request
  • Data Management
  • Information Security
  • Incident Response
  • Policy Management and Maintenance
  • Risk Management
  • Vendor Management
  • Vulnerability Management


Vulnerability Disclosure and Management


Risk Assessment

Kultify employs regular risk assessments to identify vulnerabilities that may affect our systems or data. Each risk is managed according to its severity through prioritized mitigation strategies.


Regular Audits

Kultify conducts ongoing internal reviews of infrastructure, code dependencies, and software to ensure compliance with evolving security standards.

  • Quarterly: Comprehensive evaluations of infrastructure and software.
  • Monthly: Targeted reviews for critical updates and vulnerabilities.


Security Update Management

Critical security updates for operating systems, applications, and communication software are applied immediately upon release. All internet-facing systems and firewalls are maintained with current security patches. A documented change management process ensures updates are tested and deployed systematically.


Other Key Policies and Resources


Vendor Risk Management

Kultify carefully evaluates third-party vendors for compliance with security requirements. Vendor selection is limited to EU-based providers where possible and subject to strict guidelines, including mandatory DPAs and activated 2FA.


Incident Response Planning

Kultify has a thorough incident response plan. Security incidents are tracked and managed via iLert, with post-mortem reviews conducted for continuous improvement. Our incident response team can be reached through our primary security contact.


Continuous Monitoring

All critical infrastructure is monitored in real time using tools integrated with OpenTelemetry. Alerts ensure immediate response to anomalies.


Patch Management

All software, operating systems, and code dependencies are regularly updated to patch known vulnerabilities. Employees are encouraged to install updates promptly, and developers follow rigorous procedures for dependency updates.


Compliance Certifications

Kultify complies with GDPR and enforces secure practices internally and across our vendor network. While we do not currently hold formal certifications like SOC 2 or ISO 27001, our processes align with their core principles, and we continue to evaluate opportunities for certification.


Security Reporting

We encourage responsible disclosure of any security vulnerabilities. Please contact us at security@kultify.com with details and proof of concept.


Last Updated: July 2025

Updated on: 26/07/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!