Comment on page
Kyuda is committed to guarantee the privacy and security of your data.
Please provide as many details as possible, including:
- The specific issue you're seeing and at what date and time it started or when you first observed it.
- Relevant resources involved in the abuse (e.g. the HTTP endpoint to which traffic is being sent).
- Any logs or code involved in the abuse (e.g. if you're encountering a denial-of-service attack, please include any HTTP / networking logs related to the issue. If you are reporting malware that exfiltrates data, please include relevant code from that malware or links to relevant reports).
Kyuda will undergo regular third-party audits starting Q2 2023. We will have demonstrated SOC 2 compliance and we will be able to provide a SOC 2 Type I report upon request.
Submitting a GDPR Deletion Request
Kyuda further secures access to AWS resources through a series of controls, including but not limited to: multi-factor authentication, private network inaccessible from the public internet, mandatory VPN, and more.
Kyuda does not store any passwords tied to your user account — That information is secured with the identity provider. We recommend you configure two-factor authentication in the provider to further protect access to your Kyuda account.
When you link an account from a third party application, you may be asked to either authorize a Kyuda OAuth application access to your account, or provide an API key or other credentials.
This section describes how we handle these grants and keys.
When a third party application supports an OAuth integration, Kyuda prefers that interface. The OAuth protocol allows Kyuda to request scoped access to specific resources in your third party account without you having to provide long-term credentials directly. Kyuda must request short-term access tokens at regular intervals, and most applications provide a way to revoke Kyuda's access to your account at any time.
Some third party applications do not provide an OAuth interface. To access these services, you must provide the required authorization mechanism (often an API key). As a best practice, if your application provides such functionality, Kyuda recommends you limit that API key's access to only the resources you need access to within Kyuda.
Kyuda encrypts all OAuth grants, key-based credentials, and environment variables at rest in our production databases. Those databases resides in a private network. Backups of those databases are encrypted. The keys used to encrypt those databases is managed by AWS KMS and controlled by Kyuda. KMS keys are 256 bit in length and use the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM). Access to administer these keys is limited to specific members of our team. Keys are automatically rotated once a year. KMS has achieved SOC 1, 2, 3, and ISO 9001, 27001, 27017, 27018 compliance. Copies of these certifications are available from Amazon on request.
When you link credentials to a specific source or workflow, the credentials are loaded into that program's Execution Environment, which runs in its own virtual machine, with access to RAM and disk isolated from other users' code.
No credentials are logged in your source or workflow by default. If you log their values or export data from a step, you can always delete the data for that invocation from your source or workflow. These logs will also be deleted automatically based on the event retention for your account.
You can delete your OAuth grants or key-based credentials at any time. Deleting OAuth grants within Kyuda do not revoke Kyuda's access to your account. You must revoke that access wherever you manage OAuth grants in your third party application.
The Execution Environment refers to the environment in which your sources, pipelines, and other Kyuda's code is executed.
Each version of a source or pipelines is deployed to its own virtual machine. This means your execution environment has its own RAM and disk, isolated from other users' environments. To implement virtualisation and achieve such level of isolation securing your execution environment, Kyuda uses Firecracker: an open source virtualisation technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services.
When you use the Kyuda's web application, the traffic between your client and our services is encrypted in transit. When you create an HTTP interface in Kyuda, the UI will display the recommended HTTPS endpoint.
Kyuda encrypts customer data at rest in our databases and data stores. The keys used to encrypt those databases is managed by AWS KMS and controlled by Kyuda. KMS keys are 256 bit in length and use the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM). Access to administer these keys is limited to specific members of our team. Keys are automatically rotated once a year. KMS has achieved SOC 1, 2, 3, and ISO 9001, 27001, 27017, 27018 compliance. Copies of these certifications are available from Amazon on request.
dig kyuda.io TXT +short
dig _dmarc.kyuda.io TXT +short
Kyuda uses GitHub to store and version all production code. Employee's access to Kyuda's GitHub organisation is protected by multi-factor authentication.
Only authorised employees are allowed and able to deploy code to production. Deploys are automatically tested and monitored before and after release.
Kyuda monitors code, infrastructure and core applications for known vulnerabilities and addresses critical vulnerabilities in a timely manner.
Kyuda performs background checks on all new hires.
Kyuda provides hardware to all new hires. These machines run a local agent that sets configuration of the operating system to hardened standards, including:
- Automatic OS Updates
- Hard Disk Encryption
- Anti-Malware Software
- Screen Lock
- Monitoring and Auditing
Employee access to systems is granted on a least-privilege basis. This means that employees only have access to the data they need to perform their job. System access is reviewed quarterly, on any change in role, or upon termination.
Kyuda provides annual security training to all employees. Developers go through a separate, annual training on secure software development practices.
Kyuda retains data only for as long as necessary to provide the core service. Kyuda stores your pipeline code, data in data stores, and other data indefinitely, until you choose to delete it.
Event data and the logs associated with pipeline executions are stored according to the retention rules on your account.
Kyuda deletes most internal application logs and logs tied to subprocessors within 30 days. We retain a subset of logs for longer periods where required for security investigations.
If you choose to delete your Kyuda account, Kyuda deletes all customer data and event data associated with your account. We also make a request to all subprocessors to delete any data those vendors store on our behalf.
Kyuda deletes customer data in backups within 30 days.