Security & Compliance

Question

Koddi Response

Does Koddi employ a dedicated security group or personnel responsible for security initiatives within the organization?

Yes. Our Operations organization is responsible for platform security.

Koddi management assesses risks that could impact our ability to provide services to clients. The assessment includes identification of any significant risks, including (a) considering the potential for fraud in assessing risks, and (b) identifying and assessing changes that could significantly impact the system of internal control.

As an internet-based company, management also considers relevant regulatory requirements pertinent to our customers including data breaches and security threats.

Does Koddi have information security and privacy policies, procedures, guidelines or standards that have been approved by management and communicated to appropriate stakeholders within the organization?

Yes. Our standards and policies are described in our latest SOC report. These standards and policies have been approved by management and communicated to appropriate stakeholders within Koddi.

The SOC report includes the following processes relevant to the Koddi Platform System:
A. New Account Setup
B. Account Administration
C. Campaign Monitoring
D. Reconciliation
E. Account Statements and Client Reports
F. Settlement Process
G. System Development and Change Management
H. Logical Security
I. Computer Operations
J. Data Transmission
K. Data Backup

Are information security and privacy policies, procedures, guidelines or standards reviewed and updated on an annual basis?

Yes. Our standards and policies are reviewed (and updated as appropriate) annually.

Will Koddi collect personal information on behalf of its clients?

No. You will do all data collection. Koddi is a processor only.

Will Koddi be able to assist us in fulfilling its obligations to respond to requests for data subjects seeking to exercise their rights under applicable law?

Yes. We deeply value transparency and accessibility.

Users in California have:
The right to know whether their personal information is being collected about them
The right to request the specific categories of information a business collects upon verifiable request
The right to know what personal information is being collected about them
The right to say “no” to the sale of personal information
The right to delete their personal information
The right to equal service and price, even if they exercise their privacy rights

To make any of the above requests (or to reach out with additional questions) contact us at [email protected].

Users in the European Union can easily manage the data we collect by:
Requesting an electronic copy of the personal data we have collected, free of charge
Requesting that their data be transmitted to a new controller
Requesting that their data be permanently erased

To make any of the above requests (or to reach out with additional questions) contact us at [email protected].

Are processes in place to allow data subjects to request access to their personal information?

Yes. Please see the Koddi Privacy Policy (https://koddi.com/privacy-policy/) for more information.

Are processes in place to respond to data subject access requests?

Yes. Please see the Koddi Privacy Policy (https://koddi.com/privacy-policy/) for more information.

Are processes in place to respond to update requests regarding inaccurate personal information?

Yes. Please see the Koddi Privacy Policy (https://koddi.com/privacy-policy/) for more information.

Are processes in place to respond to a request to delete personal data?

Yes. Please see the Koddi Privacy Policy (https://koddi.com/privacy-policy/) for more information.

Are processes in place to respond to a request to restrict the processing of personal data?

Yes. Please see the Koddi Privacy Policy (https://koddi.com/privacy-policy/) for more information.

Are processes in place to respond to a data subject request to have their electronic personal data transferred to the data subject or to another controller in a machine-readable format?

Yes. Please see the Koddi Privacy Policy (https://koddi.com/privacy-policy/) for more information.

Are processes in place to respond to a data subject request to stop the processing of personal information?

Yes. Please see the Koddi Privacy Policy (https://koddi.com/privacy-policy/) for more information.

Are processes in place to allow data subjects to opt-out of automated processing?

Yes. Please see the Koddi Privacy Policy (https://koddi.com/privacy-policy/) for more information.

Does Koddi have a formal complaint process for responding to all privacy complaints involving our personal and confidential information, as well as notifying us without undue delay?

Yes. Please see the Koddi Privacy Policy (https://koddi.com/privacy-policy/) for more information.

Is there a retention and disposal policy and procedure in place?

Yes. Please see our SOC documentation. Data is retained for the duration of our commercial agreement unless deletion is requested by you.

Will our personal and confidential information be retained only per the terms of the governing agreement or as required by law?

Yes. Any personal and confidential information be retained only per the terms of the governing agreement or as required by law.

Will personal and confidential information be destroyed upon completion of services and a certification of destruction provided to us? Alternatively, will the personal and confidential information be returned to us upon our request?

Yes. Please see our SOC documentation. Data is retained for the duration of our commercial agreement unless deletion is requested by you.

Does Koddi periodically dispose media securely and maintain a log of such activities?

Yes. Please see our SOC documentation. Data is retained for the duration of our commercial agreement unless deletion is requested by you.

Are safeguards in place to ensure compliance with privacy laws for data transfers, including cross-border and onward data transfers to sub-processors (sub-contractors)?

Yes. All data collection and processing is executed in local data centers.

Is there an asset management policy and procedure in place?

Yes. Koddi has a robust asset management program and can provide the policy on request.

Is our personal and confidential information stored or processed by Koddi in a mobile hardware (e.g. laptop, portable media, USB device)? If so, please describe in the comments.

No. All data processing is performed in our secured cloud environment on AWS.

Is our personal and confidential information stored or processed by Koddi in a cloud storage (e.g., SaaS, PaaS, IaaS)?

Yes. All data processing is performed in our secured cloud environment on AWS.

Is our personal and confidential information stored or processed by Koddi in a collaboration solution (software, application, service, tool)?

No. All data processing is performed in our secured cloud environment on AWS.

Does Koddi maintain an inventory of information assets?

Yes. Cloud (AWS) assets are tracked by our Platform Infrastructure and Site Reliability organization. Non-cloud assets are tracked by our IT organization.

Are applications analyzed on a regular basis to determine their vulnerability against recent attacks?

Yes. All Koddi applications are analyzed on a regular basis to determine their vulnerability against recent attacks.

Are Privacy Impact Assessments (PIAs) conducted on systems, applications, or processes processing our personal and confidential information?

N/A. All data that is collected by Koddi is provided by you.

Does Koddi establish and maintain access rights management procedures to prevent unauthorized access to our personal or confidential information?

Yes. Please see our SOC documentation for additional details.

Koddi restricts access to all systems to authorized Koddi employees. Privileged access to applications is restricted to authorized employees. Privileged access within applications is restricted to campaign management personnel, customer support personnel, and software engineers requiring access to troubleshoot.

Is access to personal information controlled and restricted to a need-to-know basis?

Yes. Please see our SOC documentation for additional details.

Koddi restricts access to all systems to authorized Koddi employees. Privileged access to applications is restricted to authorized employees. Privileged access within applications is restricted to campaign management personnel, customer support personnel, and software engineers requiring access to troubleshoot.

Are employees (or subcontractors) able to access the data in an unencrypted state?

No. But, on a need-to-know and indiviudal task basis, Koddi employees may access user contact information to complete a specific task.

Can users (employees or subcontractors) access our personal and confidential information via a mobile device (e.g., smartphone, tablet, laptop)?

Yes. Via authorized Koddi devices.

Does Koddi have a process to review user access to our personal and confidential information on a regular basis?

Yes. We perform a quarterly audit of user access to all systems.

Management performs user access appropriateness reviews on an annual basis, including vendor access. In addition, management evaluates new hire access, terminated employee revocation and internal position changes quarterly thereafter. During this process, Koddi reviews application, operating system, and database level access to ensure users have the appropriate access to systems, including vendor access. Any inappropriate access identified during the review is updated or removed from the system. Please see our SOC documentation for additional details.

Is user access reviewed on a periodic basis?

Yes. We perform a quarterly audit of user access to all systems.

Management performs user access appropriateness reviews on an annual basis, including vendor access. In addition, management evaluates new hire access, terminated employee revocation and internal position changes quarterly thereafter. During this process, Koddi reviews application, operating system, and database level access to ensure users have the appropriate access to systems, including vendor access. Any inappropriate access identified during the review is updated or removed from the system. Please see our SOC documentation for additional details.

Is access to personal information removed when access is no longer needed?

Yes. Please see our SOC documentation. Data is retained for the duration of our commercial agreement unless deletion is requested by you.

Is access to production systems and components within the production environment reviewed periodically by appropriate personnel to ensure access continues to be aligned with current roles and responsibilities?

Yes. We perform a quarterly audit of user access to all systems.

Management performs user access appropriateness reviews on an annual basis, including vendor access. In addition, management evaluates new hire access, terminated employee revocation and internal position changes quarterly thereafter. During this process, Koddi reviews application, operating system, and database level access to ensure users have the appropriate access to systems, including vendor access. Any inappropriate access identified during the review is updated or removed from the system. Please see our SOC documentation for additional details.

Are there procedures in place to maintain records of processing activities?

N/A. Koddi is acting as a data processor for you. We process data as instructed by you for specific purposes.

Is there a defined, implemented and communicated end to end system development life cycle?

Yes. Koddi follows a structured change management process to ensure that changes to production systems are deployed in a controlled environment. Please see our SOC documentation.

Does Koddi maintain an information security program?

Yes. Our standards and policies are described in our latest SOC report. These standards and policies have been approved by management and communicated to appropriate stakeholders within Koddi.

Does Koddi install anti-virus and anti-malware software on equipment connected to the network used to process our personal and confidential information?

Yes. Anti-virus and anti-malware software is installed on all Koddi assets.

Does Koddi perform annual network security assessments? (e.g., vulnerability scans, penetration tests)

Yes. We perform regular testing using highly requarded third party testing tools.

Does Koddi have a defined process to implement patch management procedures that prioritize security patches for systems used to process our personal and confidential information?

Yes. Our standards and policies are described in our latest SOC report. These standards and policies have been approved by management and communicated to appropriate stakeholders within Koddi.

Does Koddi have a process that requires security approval to allow external users to connect to the company network?

N/A. We do not allow any external users access to our network for any reason.

Are all critical security patches applied and verified at least monthly?

Yes. Our standards and policies are described in our latest SOC report. These standards and policies have been approved by management and communicated to appropriate stakeholders within Koddi.

Is Koddi's network adequately and securely segregated through the use of properly configured firewalls?

Yes. All production infrastructure (and data) is inside of our VPC on AWS. Security groups are used to only allow traffic on specific ports for the approved IP addresses. MFA is in place throughout Koddi services.

Does Koddi protect our personal and confidential information in transit across networks with encryption using Transport Layer Security (TLS) or Internet Protocol Security (IPsec)?

Yes. All production infrastructure (and data) is inside of our VPC on AWS. Security groups are used to only allow traffic on specific ports for the approved IP addresses. MFA is in place throughout Koddi services.

Will our personal and/or confidential information be used in the development and/or test environment be redacted or anonymized?

Yes. Any personal and/or confidential information is redacted in development and test environments.

Is there a physical security policy and procedure in place?

Yes. Please see our SOC documentation. Physical security to critical components and areas that contain sensitive information is restricted to appropriate personnel based on job requirements.

Are physical security and environmental controls implemented in the data center, office buildings, and other areas that will store our personal and confidential information? If so, what safety and protective controls have been established to safeguard the areas that will store our Personal and Confidential Information from environmental factors such as fire, flooding, power surges or shortages?

Yes. We partner with AWS to support our physical security and environmental controls.

CCTV
Physical access points to server rooms are recorded by Closed Circuit Television Camera (CCTV). Images are retained according to legal and compliance requirements.
DATA CENTER ENTRY POINTS
Physical access is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized staff utilize multi-factor authentication mechanisms to access data centers. Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.
INTRUSION DETECTION
Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Ingress and egress points to server rooms are secured with devices that require each individual to provide multi-factor authentication before granting entry or exit. These devices will sound alarms if the door is forced open without authentication or held open. Door alarming devices are also configured to detect instances where an individual exits or enters a data layer without providing multi-factor authentication. Alarms are immediately dispatched to 24/7 AWS Security Operations Centers for immediate logging, analysis, and response.
POWER
Our data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day. AWS ensures data centers are equipped with back-up power supply to ensure power is available to maintain operations in the event of an electrical failure for critical and essential loads in the facility.
CLIMATE AND TEMPERATURE
AWS data centers use mechanisms to control climate and maintain an appropriate operating temperature for servers and other hardware to prevent overheating and reduce the possibility of service outages. Personnel and systems monitor and control temperature and humidity at appropriate levels.
FIRE DETECTION AND SUPPRESSION
AWS data centers are equipped with automatic fire detection and suppression equipment. Fire detection systems utilize smoke detection sensors within networking, mechanical, and infrastructure spaces. These areas are also protected by suppression systems.
LEAKAGE DETECTION
In order to detect the presence of water leaks, AWS equips data centers with functionality to detect the presence of water. If water is detected, mechanisms are in place to remove water in order to prevent any additional water damage.

Are physical security controls reviewed on an annual basis?

Yes. All security controls reviewed on at least an annual basis.

Is physical access to data centers and office buildings reviewed on a periodic basis, including access revocation that is no longer required (such as for employees who no longer require access)?

Yes. Please see our SOC documentation. Physical security to critical components and areas that contain sensitive information is restricted to appropriate personnel based on job requirements.

Is the inventory of access cards periodically reviewed?

Yes. Please see our SOC documentation. Physical security to critical components and areas that contain sensitive information is restricted to appropriate personnel based on job requirements.

Management performs user access appropriateness reviews on an annual basis, including vendor access. In addition, management evaluates new hire access, terminated employee revocation and internal position changes quarterly thereafter.

Does Koddi monitor information systems in use within the company network where our personal and confidential information is handled - for intrusions and other unauthorized activity?

Yes. Monitoring tools are used to automatically identify errors related to the network and application for specific operational issues (e.g., capacity or usage errors). Please see our SOC documentation for additional information.

Does Koddi have monitoring activities to identify unauthorized network access attempts, suspicious patterns or excessive system lockouts?

Yes. Monitoring tools are used to automatically identify errors related to the network and application for specific operational issues (e.g., capacity or usage errors). Please see our SOC documentation for additional information.

Has Koddi implemented a business continuity plan and disaster recovery plan that protects personal data from unauthorized use, access, disclosure, alteration and destruction?

Yes. A disaster recovery plan is updated based on emerging risks and tested on at least an annual basis.

In the event of a disaster which interferes with Koddi’s ability to conduct business (compete system failure), the following actions will be executed within 24 hours of the event:

1.     New VPCs established within operating data centers

2.     Compete service restore from backups

3.     Complete data restore from backups

Does Koddi test business continuity and disaster recovery plans periodically?

Yes. Restore tests are performed annually on backups to ensure data recoverability.

Are annual backup restoration tests conducted to confirm backup reliability and integrity?

Yes. Restore tests are performed annually on backups to ensure data recoverability.

Has senior management assigned the responsibilities for the overall management of the response and recovery efforts?

Yes. This information is covered in our disaster recovery plan.

Has your company suffered a data loss or security breach within the last 3 years?

No. we have not suffered a data loss or security breach within the last 3 years.

Does Koddi have an incident management program that has been approved by management, communicated to stakeholders and maintained and reviewed by the designated program owner?

Yes. Our incident management program is managed by our Support and Incident Management organization. These standards and policies have been approved by management and communicated to appropriate stakeholders within Koddi.

Does Koddi have processes in place to notify us upon becoming aware of a personal information breach or security vulnerability related to the handling of our personal data?

Yes. Our incident management program is managed by our Support and Incident Management organization. These standards and policies have been approved by management and communicated to appropriate stakeholders within Koddi.

Are there processes in place to implement a remediation plan and monitor the resolution of personal information breaches and vulnerabilities related to our personal and confidential information to ensure that appropriate corrective action is taken on a timely basis?

Yes. Our incident management program is managed by our Support and Incident Management organization. These standards and policies have been approved by management and communicated to appropriate stakeholders within Koddi.

Does Koddi have cybersecurity insurance?

Yes. We have cyber coverage through our primary professional liability coverage.

Will Koddi use subcontractor(s) to provide the product(s) and/or service(s) to us?

This will depend on our scope of services.

If subcontractor(s) are used, they are subject to our Vendor Management Policy and the same Security Policies as Koddi employees. All subcontractors are required to sign confidentiality or non-disclosure agreements.

Is there a risk assessment program that has been approved by management, communicated to constituents, and maintained and reviewed by the designated program owner?

Yes. Koddi management assesses risks that could impact its ability to provide services to clients. The assessment includes identification of any significant risks, including (a) considering the potential for fraud in assessing risks, and (b) identifying and assessing changes that could significantly impact the system of internal control. As an internet-based company, management also considers relevant regulatory requirements pertinent to their customers including data breaches and security threats.

Are there risk assessments conducted?

Yes. Risk assessments are completed and reviewed at least annually.

Are identified risks and associated mitigation plans formally documented and reviewed by management?

Yes. Management identifies and mitigates risks that threaten achievement of the control objectives stated in our SOC documentation. Our controls are designed with the assumption that user entities will have implemented complementary user entity controls that are necessary to achieve our control objectives. Please see our latest SOC report for more information.

Is there an internal audit, risk management, or compliance department, or similar management oversight, with responsibility for assessing, identifying, and tracking resolution of outstanding regulatory issues?

Yes. Koddi management assesses risks that could impact its ability to provide services to clients. The assessment includes identification of any significant risks, including (a) considering the potential for fraud in assessing risks, and (b) identifying and assessing changes that could significantly impact the system of internal control.

As an internet-based company, management also considers relevant regulatory requirements pertinent to their customers including data breaches and security threats.

Does Koddi provide security and privacy training to employees and/or subcontractors who will have access to our personal and confidential information?

Yes. Koddi’s vision is to break down barriers to improve discovery, growth and results. This vision drives their operating philosophy: to establish and have open communication between senior management and staff in order to maintain structures, reporting lines, and appropriate authorities and responsibilities to ensure an appropriate control environment. The organizational structure, separation of job responsibilities by department and business function, documentation of policies and procedures and internal assessments are the methods used to define, implement effective operational controls.

Koddi demonstrates a commitment to attract, develop, and retain competent individuals in alignment with business objectives. Koddi has established policies and procedures for recruiting employees, job performance reviews, and employee expectations and conduct. Koddi hires employees with expertise in the intended area of responsibility. Job offers are reviewed and approved by management prior to being made to a candidate. Koddi provides employees with the authority to carry out the responsibilities of their job function. Employees receive training through formal training sessions that are developed in-house and informally through on-the-job training on their engagement teams. Ongoing performance evaluations and reviews are performed to ensure employees are able to carry out the responsibilities of their job function.

Are employees and/or subcontractors who will have access to our personal and confidential information required to sign confidentiality or non-disclosure agreements?

Yes. All employees and/or subcontractors are required to sign confidentiality or non-disclosure agreements.

Koddi does not plan to use subcontractors to provide this service.

Is there a data classification scheme that identifies the data types that require additional management and governance?

N/A. Koddi is acting as a data processor. We process data as instructed by you for specific purposes.

Does Koddi routinely classify printed and/or electronic data by degree of confidentiality? If so, briefly describe the classes of confidentiality and the types of data in use.

Yes. We treat all customer provided data with the highest level of confidentiality always.

Koddi is acting as a data processor. We process data as instructed by you for specific purposes.