Security

How we keep your information safe

Cyber Essentials Plus Certified

We Are Cyber Essentials Certified Plus.

Cyber Essentials is a Government backed scheme which focuses on technical controls designed to guard against the most common internet based cyber security threats. By displaying the Cyber Essentials badge it means we have put measures in place to protect not only our own organisation, but also the security of our clients, by meeting a UK Government endorsed standard.

Data Storage

We use Amazon Web Services (AWS) to store your data, which is considered the gold-standard for secure data storage. All our data is stored in UK-based datacenters (served over HTTPS / SSL).

Encryption

All data is fully encrypted, both when it’s uploaded and when it’s at rest in your Kinvault.  This includes the content of any files you upload.  We use the industry standard for secure encryption (a symmetric algorithm based on Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) with 256-bit keys).

Database access

Access to our database uses encryption comparable with physical military grade security.   Database access keys are secured in hardware security modules (HSMs) providing AES-256-GCM encryption.

Penetration tested

Our platform is regularly penetration tested by a third party using the Immuniweb platform.  We have significant audit trailing to preserve any changes to data.

Firewalling

Robust web application firewalls (WAFs) are in place to protect our front-end applications and APIs to prevent malicious traffic from entering our platform.

Browser security

We have strict CSP (Content Security Policy), strict-transport-security headers, and API Access is restricted via CORS (Cross Origin Resource Sharing). Kinvault is also on the HSTS preload list, so can not be served without HTTPS on modern browsers.

Multifactor Authentication

Multifactor authentication (MFA or 2FA) is used to access your Kinvault, which means you’ll be asked for at least two different forms of verification when you log on.  We use a time-based one-time password (TOTP) via an app on your phone, with back up via a text message or email. 

Identity checks

Accessing your confidential data after your death requires an identity check and a valid notice of death or death certificate, unless you’ve specifically told us to release information earlier.

 

Permissions

We never share any of your data with 3rd parties without your express permission, and you can specify how you’d want us to act if an attorney or executor requests information. Data changes are fully logged.