Kyuda is committed to guarantee the privacy and security of your data.

Reporting a Vulnerability

If you'd like to report a suspected vulnerability, please contact us. Use our PGP Key to encrypt sensitive data as part of your report.

Reporting an Abuse

If you suspect Kyuda resources are being used for illegal purposes, or otherwise violate our Terms of Service, please contact us.

Please provide as many details as possible, including:

• The specific issue you're seeing and at what date and time it started or when you first observed it.

• Relevant resources involved in the abuse (e.g. the HTTP endpoint to which traffic is being sent).

• Any logs or code involved in the abuse (e.g. if you're encountering a denial-of-service attack, please include any HTTP / networking logs related to the issue. If you are reporting malware that exfiltrates data, please include relevant code from that malware or links to relevant reports).

Compliance

SOC 2

Kyuda will undergo regular third-party audits starting Q2 2023. We will have demonstrated SOC 2 compliance and we will be able to provide a SOC 2 Type I report upon request.

Drata will be used to continuously monitor infrastructure's compliance.

GDPR

Data Protection Addendum

Kyuda is considered both a Controller and a Processor as defined by the GDPR. As a Processor, Kyuda implements policies and practices that secure the personal data you send to the platform, and includes a Data Protection Addendum as part of our standard Terms of Service.

Kyuda's Data Protection Addendum includes the Standard Contractual Clauses (SCCs). These clarify how Kyuda handles your data, and they update our GDPR policies to cover the latest standards set by the European Commission.

Submitting a GDPR Deletion Request

When you delete your organisation and account, Kyuda deletes all your personal data on hold in our system and our Subprocessors.

Hosting Details

Kyuda is hosted in Amazon Web Services (AWS). The physical hardware powering and storing the data of our platform are hosted in data centers controlled and secured by AWS, under strict security practices and compliance certifications.

Kyuda further secures access to AWS resources through a series of controls, including but not limited to: multi-factor authentication, private network inaccessible from the public internet, mandatory VPN, and more.

Intrusion Detection and Prevention

Kyuda uses AWS WAF, AWS GuardDuty, and Datadog to monitor and block suspected attacks against Kyuda's infrastructure, preventing denial-of-service attacks.

Kyuda implements a number of industry-standard and custom alerts to detect anomalous activity on the platform, and quickly reacts to potential threats following a strict Incident Response policy.

User Accounts, Authentication and Authorization

When you sign up for a Kyuda account, you are asked to select an existing Google, Github or LinkedIn account.

Kyuda does not store any passwords tied to your user account — That information is secured with the identity provider. We recommend you configure two-factor authentication in the provider to further protect access to your Kyuda account.

OAuth Grants, API Keys and Environment Variables

When you link an account from a third party application, you may be asked to either authorize a Kyuda OAuth application access to your account, or provide an API key or other credentials.

This section describes how we handle these grants and keys.

When a third party application supports an OAuth integration, Kyuda prefers that interface. The OAuth protocol allows Kyuda to request scoped access to specific resources in your third party account without you having to provide long-term credentials directly. Kyuda must request short-term access tokens at regular intervals, and most applications provide a way to revoke Kyuda's access to your account at any time.

Some third party applications do not provide an OAuth interface. To access these services, you must provide the required authorization mechanism (often an API key). As a best practice, if your application provides such functionality, Kyuda recommends you limit that API key's access to only the resources you need access to within Kyuda.

Kyuda encrypts all OAuth grants, key-based credentials, and environment variables at rest in our production databases. Those databases resides in a private network. Backups of those databases are encrypted. The keys used to encrypt those databases is managed by AWS KMS and controlled by Kyuda. KMS keys are 256 bit in length and use the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM). Access to administer these keys is limited to specific members of our team. Keys are automatically rotated once a year. KMS has achieved SOC 1, 2, 3, and ISO 9001, 27001, 27017, 27018 compliance. Copies of these certifications are available from Amazon on request.

When you link credentials to a specific source or workflow, the credentials are loaded into that program's Execution Environment, which runs in its own virtual machine, with access to RAM and disk isolated from other users' code.

No credentials are logged in your source or workflow by default. If you log their values or export data from a step, you can always delete the data for that invocation from your source or workflow. These logs will also be deleted automatically based on the event retention for your account.

You can delete your OAuth grants or key-based credentials at any time. Deleting OAuth grants within Kyuda do not revoke Kyuda's access to your account. You must revoke that access wherever you manage OAuth grants in your third party application.

Execution Environment

The Execution Environment refers to the environment in which your sources, pipelines, and other Kyuda's code is executed.

Each version of a source or pipelines is deployed to its own virtual machine. This means your execution environment has its own RAM and disk, isolated from other users' environments. To implement virtualisation and achieve such level of isolation securing your execution environment, Kyuda uses Firecracker: an open source virtualisation technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services.

Encryption of Data in Transit, TLS (SSL) Certificates

When you use the Kyuda's web application, the traffic between your client and our services is encrypted in transit. When you create an HTTP interface in Kyuda, the UI will display the recommended HTTPS endpoint.

All Kyuda's certificates used to protect user data in transit are created using AWS Certificate Manager. Private keys are managed and secured by AWS.

Encryption of Data at Rest

Kyuda encrypts customer data at rest in our databases and data stores. The keys used to encrypt those databases is managed by AWS KMS and controlled by Kyuda. KMS keys are 256 bit in length and use the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM). Access to administer these keys is limited to specific members of our team. Keys are automatically rotated once a year. KMS has achieved SOC 1, 2, 3, and ISO 9001, 27001, 27017, 27018 compliance. Copies of these certifications are available from Amazon on request.

Email Security

Kyuda delivers emails to users for the purpose of email verification, error notifications and more. Kyuda implements SPF and DMARC DNS records to guard against email spoofing and forgery. You can review these records by using a DNS lookup tool like dig

# SPF
dig kyuda.io TXT +short
# DMARC
dig _dmarc.kyuda.io TXT +short

Incident Response

Kyuda implements incident response best practices for identifying, documenting, resolving and communicating incidents. Kyuda publishes incident notifications to our Status Page.

Kyuda notifies customers of any data breaches according to our Data Protection Addendum.

Software Development

Kyuda uses GitHub to store and version all production code. Employee's access to Kyuda's GitHub organisation is protected by multi-factor authentication.

Only authorised employees are allowed and able to deploy code to production. Deploys are automatically tested and monitored before and after release.

Vulnerability Management

Kyuda monitors code, infrastructure and core applications for known vulnerabilities and addresses critical vulnerabilities in a timely manner.

Corporate Security

Background Checks

Kyuda performs background checks on all new hires.

Workstation Security

Kyuda provides hardware to all new hires. These machines run a local agent that sets configuration of the operating system to hardened standards, including:

• Automatic OS Updates

• Hard Disk Encryption

• Anti-Malware Software

• Screen Lock

• Monitoring and Auditing

System Access

Employee access to systems is granted on a least-privilege basis. This means that employees only have access to the data they need to perform their job. System access is reviewed quarterly, on any change in role, or upon termination.

Security Training

Kyuda provides annual security training to all employees. Developers go through a separate, annual training on secure software development practices.

Data Retention

Kyuda retains data only for as long as necessary to provide the core service. Kyuda stores your pipeline code, data in data stores, and other data indefinitely, until you choose to delete it.

Event data and the logs associated with pipeline executions are stored according to the retention rules on your account.

Kyuda deletes most internal application logs and logs tied to subprocessors within 30 days. We retain a subset of logs for longer periods where required for security investigations.

Data Deletion

If you choose to delete your Kyuda account, Kyuda deletes all customer data and event data associated with your account. We also make a request to all subprocessors to delete any data those vendors store on our behalf.

Kyuda deletes customer data in backups within 30 days.

Payment Processor

Kyuda uses Stripe as payment processor. When you sign up for a paid plan, the details of your payment method are transmitted to and stored by Stripe according to their security policy. Kyuda stores no information about your payment method.