Security & Compliance
Security and compliance are foundational to Kultify's commitment to provide a safe and reliable experience for our customers. We prioritize data security, system reliability, and privacy in everything we do.
Kultify employs industry-standard practices and tools to protect against unauthorized data access, mitigate risks, and ensure business continuity. Our employee training programs reinforce security awareness, while our defined processes ensure data handling compliance with GDPR and other applicable regulations.
Security oversight is directed by Kultify’s Chief Technology Officer, Jan Kühnlein, with strong support from cross-functional teams.
Kultify’s systems and infrastructure are hosted securely within data centers that maintain industry-leading security measures. While Kultify does not directly manage its physical hosting environment, we rely on rigorously vetted EU-based vendors that adhere to stringent security certifications such as ISO 27001 and SOC 2 compliance.
Access to Kultify systems is tightly controlled. Employees gain access to infrastructure only through secure methods, including single sign-on (SSO) and two-factor authentication (2FA). Access is granted on a need-to-know basis and regularly reviewed.
Automated penetration tests and scanning tools, such as those provided by ProjectDiscovery Inc., are regularly utilized to identify and mitigate infrastructure vulnerabilities.
Kultify employs robust monitoring solutions to spot suspicious patterns in our systems. Automated alarms notify engineering teams in real time to allow rapid investigation and response.
To ensure availability, Kultify leverages redundant systems and resources to minimize service impact in the event of hardware or software failure. Regular maintenance ensures seamless functionality even during updates.
Backups of all production systems are encrypted and securely stored offsite in at least two geographically distinct locations. These backups are created daily to ensure comprehensive data protection.
Kultify maintains documented disaster recovery plans that prioritize systems with a recovery time objective (RTO) of less than 48 hours. This includes the ability to restore systems from backups quickly and reconfigure affected applications.
Data processing is aligned with GDPR standards and restricted to necessary information transmitted securely via TLS-encrypted channels. Additionally, Kultify encourages customers to follow security best practices, such as using data scrubbing to remove sensitive information where possible.
All data flowing between our services is encrypted using industry-standard protocols. These include AES-256 bit encryption for data at rest and TLS for data in transit.
Kultify restricts data access to authorized personnel and provides customers with straightforward integration options with third-party tools to facilitate secure workflows. Access is carefully monitored for compliance.
Customer data is encrypted at all stages: in transit using TLS, and at rest using AES-256 bit encryption. Only dedicated and secured storage solutions are used for data handling.
Kultify retains customer data only as long as necessary for service delivery or according to agreed schedules. Specific data removal requests are honored promptly.
Access to customer production data is limited exclusively to Kultify's internal development team. Administrative actions require dual authorization (4-eyes principle) to ensure accountability and security.
Kultify adheres to GDPR and other applicable data protection laws. Formal Data Processing Agreements (DPAs) are in place with all third-party vendors.
Kultify follows industry best practices for application security, including:
Regular automated static application security testing (SAST).
Software Composition Analysis (SCA) to detect vulnerabilities in third-party code.
Version control systems to ensure code integrity during development.
Access to both Kultify systems and third-party integrations is protected by 2FA. This adds an extra layer of security for all accounts and prevents unauthorized login attempts.
Kultify safeguards its email communications through industry-standard measures to protect against spoofing, phishing, and other malicious email threats. We implement Sender Policy Framework (SPF) records and Domain-based Message Authentication, Reporting, and Conformance (DMARC). SPF ensures that only authorized servers can send emails on behalf of our domain, while DMARC provides authentication and reporting mechanisms to prevent email spoofing and unauthorized email use. These practices significantly reduce the risk of phishing attacks and ensure that our customers can trust emails originating from Kultify.
We know user administration is central to security and management, and auditing user logs is often the first step in both an emergency response plan and policy compliance requirements. All enterprise customers get admin controls governing identity, access, and usage to keep your data safe, secure, and centrally managed. (Coming soon)
Membership within Kultify is handled at the organization level. The system is designed so each user has a singular account that can be reused across multiple organizations (even those using SSO)
Access to organizations is dictated by role:
Admin
User
Kultify employs a single sign-on (SSO) platform for centralized user authentication and authorization management. Role-based access control (RBAC) ensures users only access resources pertinent to their roles. Access privileges are reviewed regularly.
Kultify cultivates a strong culture of security awareness by providing ongoing training for employees. Topics covered include:
Use of password managers to generate and store secure passwords.
Guidelines for handling customer and personally identifiable information (PII).
Best practices for locking workstations and securing devices.
All employee devices are configured using secure-by-default measures, including full-disk encryption and the enforcement of system updates.
Kultify maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps. An overview of specific security policies is available to Kultify enterprise customers upon request:
Access
Change Management
Data Request
Data Management
Information Security
Incident Response
Policy Management and Maintenance
Risk Management
Vendor Management
Vulnerability Management
Kultify employs regular risk assessments to identify vulnerabilities that may affect our systems or data. Each risk is managed according to its severity through prioritized mitigation strategies.
Kultify conducts ongoing internal reviews of infrastructure, code dependencies, and software to ensure compliance with evolving security standards.
Quarterly: Comprehensive evaluations of infrastructure and software.
Monthly: Targeted reviews for critical updates and vulnerabilities.
Kultify carefully evaluates third-party vendors for compliance with security requirements. Vendor selection is limited to EU-based providers where possible and subject to strict guidelines, including mandatory DPAs and activated 2FA.
Kultify has a thorough incident response plan. Security incidents are tracked and managed via iLert, with post-mortem reviews conducted for continuous improvement.
All critical infrastructure is monitored in real time using tools integrated with OpenTelemetry. Alerts ensure immediate response to anomalies.
All software, operating systems, and code dependencies are regularly updated to patch known vulnerabilities. Employees are encouraged to install updates promptly, and developers follow rigorous procedures for dependency updates.
Kultify complies with GDPR and enforces secure practices internally and across our vendor network. While we do not currently hold formal certifications like SOC 2 or ISO 27001, our processes align with their core principles, and we continue to evaluate opportunities for certification.
We encourage responsible disclosure of any security vulnerabilities. Please contact us at security@kultify.com with details and proof of concept.
Kultify employs industry-standard practices and tools to protect against unauthorized data access, mitigate risks, and ensure business continuity. Our employee training programs reinforce security awareness, while our defined processes ensure data handling compliance with GDPR and other applicable regulations.
Security oversight is directed by Kultify’s Chief Technology Officer, Jan Kühnlein, with strong support from cross-functional teams.
Infrastructure and Network Security
Physical Access Control
Kultify’s systems and infrastructure are hosted securely within data centers that maintain industry-leading security measures. While Kultify does not directly manage its physical hosting environment, we rely on rigorously vetted EU-based vendors that adhere to stringent security certifications such as ISO 27001 and SOC 2 compliance.
Logical Access Control
Access to Kultify systems is tightly controlled. Employees gain access to infrastructure only through secure methods, including single sign-on (SSO) and two-factor authentication (2FA). Access is granted on a need-to-know basis and regularly reviewed.
Penetration Testing
Automated penetration tests and scanning tools, such as those provided by ProjectDiscovery Inc., are regularly utilized to identify and mitigate infrastructure vulnerabilities.
Intrusion Detection and Prevention
Kultify employs robust monitoring solutions to spot suspicious patterns in our systems. Automated alarms notify engineering teams in real time to allow rapid investigation and response.
Business Continuity and Disaster Recovery
High Availability
To ensure availability, Kultify leverages redundant systems and resources to minimize service impact in the event of hardware or software failure. Regular maintenance ensures seamless functionality even during updates.
Backups
Backups of all production systems are encrypted and securely stored offsite in at least two geographically distinct locations. These backups are created daily to ensure comprehensive data protection.
Disaster Recovery
Kultify maintains documented disaster recovery plans that prioritize systems with a recovery time objective (RTO) of less than 48 hours. This includes the ability to restore systems from backups quickly and reconfigure affected applications.
Data Flow
Data In
Data processing is aligned with GDPR standards and restricted to necessary information transmitted securely via TLS-encrypted channels. Additionally, Kultify encourages customers to follow security best practices, such as using data scrubbing to remove sensitive information where possible.
Data Transit
All data flowing between our services is encrypted using industry-standard protocols. These include AES-256 bit encryption for data at rest and TLS for data in transit.
Data Out
Kultify restricts data access to authorized personnel and provides customers with straightforward integration options with third-party tools to facilitate secure workflows. Access is carefully monitored for compliance.
Data Security and Privacy
Data Encryption
Customer data is encrypted at all stages: in transit using TLS, and at rest using AES-256 bit encryption. Only dedicated and secured storage solutions are used for data handling.
Data Retention
Kultify retains customer data only as long as necessary for service delivery or according to agreed schedules. Specific data removal requests are honored promptly.
Access Control
Access to customer production data is limited exclusively to Kultify's internal development team. Administrative actions require dual authorization (4-eyes principle) to ensure accountability and security.
Compliance with GDPR
Kultify adheres to GDPR and other applicable data protection laws. Formal Data Processing Agreements (DPAs) are in place with all third-party vendors.
Application Security
Secure Application Development
Kultify follows industry best practices for application security, including:
Regular automated static application security testing (SAST).
Software Composition Analysis (SCA) to detect vulnerabilities in third-party code.
Version control systems to ensure code integrity during development.
Multi-Factor Authentication
Access to both Kultify systems and third-party integrations is protected by 2FA. This adds an extra layer of security for all accounts and prevents unauthorized login attempts.
Email Security
Kultify safeguards its email communications through industry-standard measures to protect against spoofing, phishing, and other malicious email threats. We implement Sender Policy Framework (SPF) records and Domain-based Message Authentication, Reporting, and Conformance (DMARC). SPF ensures that only authorized servers can send emails on behalf of our domain, while DMARC provides authentication and reporting mechanisms to prevent email spoofing and unauthorized email use. These practices significantly reduce the risk of phishing attacks and ensure that our customers can trust emails originating from Kultify.
Audit Controls
We know user administration is central to security and management, and auditing user logs is often the first step in both an emergency response plan and policy compliance requirements. All enterprise customers get admin controls governing identity, access, and usage to keep your data safe, secure, and centrally managed. (Coming soon)
Membership within Kultify is handled at the organization level. The system is designed so each user has a singular account that can be reused across multiple organizations (even those using SSO)
Access to organizations is dictated by role:
Admin
User
Corporate Security
Workforce Identity and Management
Kultify employs a single sign-on (SSO) platform for centralized user authentication and authorization management. Role-based access control (RBAC) ensures users only access resources pertinent to their roles. Access privileges are reviewed regularly.
Employee Training and Awareness
Kultify cultivates a strong culture of security awareness by providing ongoing training for employees. Topics covered include:
Use of password managers to generate and store secure passwords.
Guidelines for handling customer and personally identifiable information (PII).
Best practices for locking workstations and securing devices.
Endpoint Security
All employee devices are configured using secure-by-default measures, including full-disk encryption and the enforcement of system updates.
Security Policies
Kultify maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps. An overview of specific security policies is available to Kultify enterprise customers upon request:
Access
Change Management
Data Request
Data Management
Information Security
Incident Response
Policy Management and Maintenance
Risk Management
Vendor Management
Vulnerability Management
Vulnerability Disclosure and Management
Risk Assessment
Kultify employs regular risk assessments to identify vulnerabilities that may affect our systems or data. Each risk is managed according to its severity through prioritized mitigation strategies.
Regular Audits
Kultify conducts ongoing internal reviews of infrastructure, code dependencies, and software to ensure compliance with evolving security standards.
Quarterly: Comprehensive evaluations of infrastructure and software.
Monthly: Targeted reviews for critical updates and vulnerabilities.
Other Key Policies and Resources
Vendor Risk Management
Kultify carefully evaluates third-party vendors for compliance with security requirements. Vendor selection is limited to EU-based providers where possible and subject to strict guidelines, including mandatory DPAs and activated 2FA.
Incident Response Planning
Kultify has a thorough incident response plan. Security incidents are tracked and managed via iLert, with post-mortem reviews conducted for continuous improvement.
Continuous Monitoring
All critical infrastructure is monitored in real time using tools integrated with OpenTelemetry. Alerts ensure immediate response to anomalies.
Patch Management
All software, operating systems, and code dependencies are regularly updated to patch known vulnerabilities. Employees are encouraged to install updates promptly, and developers follow rigorous procedures for dependency updates.
Compliance Certifications
Kultify complies with GDPR and enforces secure practices internally and across our vendor network. While we do not currently hold formal certifications like SOC 2 or ISO 27001, our processes align with their core principles, and we continue to evaluate opportunities for certification.
Security Reporting
We encourage responsible disclosure of any security vulnerabilities. Please contact us at security@kultify.com with details and proof of concept.
Updated on: 05/02/2025
Thank you!