KodeKloud Security
Certifications & Attestations
- **SOC 2 Type II** — Annual audit by independent CPA firm. Report available under NDA. - **GDPR** — Data Processing Addendum (DPA) standard. EU data residency option. - **CCPA/CPRA** — California privacy compliance. - **ISO 27001** — Alignment (controls mapped), formal certification in progress (2026 target).
Data Protection
- **Encryption at rest:** AES-256 (AWS KMS managed keys) - **Encryption in transit:** TLS 1.2+ (enforced, HSTS, certificate pinning) - **Key management:** AWS KMS with automatic rotation - **Backup encryption:** Same standards, geographically replicated - **Data minimization:** Only collect data necessary for service delivery (email, progress, usage analytics)
Access Control
- **SSO/SCIM** (Business tier) — enterprise identity integration - **RBAC** — Admin, Manager, Learner roles with granular permissions - **MFA enforcement** — Optional for individual accounts, mandatory for admins - **Session management** — Configurable timeouts, concurrent session limits - **Audit logging** — All admin actions logged (Business tier)
Application & Infrastructure Security
- **Penetration testing:** Annual third-party + continuous bug bounty (HackerOne) - **Vulnerability management:** Automated SAST/DAST in CI/CD, dependency scanning (Dependabot, Snyk) - **Secure SDLC:** Code review mandatory, security gates in pipeline - **Infrastructure:** AWS (SOC 2, ISO 27001, PCI DSS), VPC isolation, WAF, DDoS protection - **Playground isolation:** Each user session = dedicated Kubernetes namespace with network policies, resource quotas, no cross-tenant access
Privacy & Data Rights
- **Data subject requests:** Automated portal + manual fallback (30-day SLA) - **Right to deletion:** Full account + data purge within 30 days - **Data portability:** JSON export of all progress, certificates, completions - **Retention:** Active account = indefinite. Deleted account = 30-day grace, then purge - **No advertising/tracking:** No third-party ad networks, no behavioral profiling beyond platform analytics
Incident Response
- **24/7 monitoring** (CloudWatch, PagerDuty) - **Defined escalation** (Severity 1–4 with SLA) - **Customer notification:** < 72 hours for confirmed data incidents (GDPR Art. 33) - **Post-incident review:** Root cause analysis, corrective actions, customer communication - **Business continuity:** Multi-AZ deployment, RTO < 4 hours, RPO < 1 hour
Vendor Risk Management
- **Subprocessor list** available (AWS, SendGrid, Intercom, Stripe, etc.) - **DPA flow-down** to all subprocessors - **Annual vendor assessments** (security, privacy, financial) - **Contractual security obligations** in all vendor agreements - **Right to audit** (or rely on SOC 2) for critical vendors
Compliance Mapping for Common Frameworks
| Requirement | KodeKloud Coverage | |---|---| | SOC 2 CC6.1 (Access Control) | SSO, RBAC, MFA, session mgmt | | SOC 2 CC6.7 (Data Transmission) | TLS 1.2+, HSTS, cert pinning | | GDPR Art. 25 (Data Protection by Design) | Encryption, minimization, privacy-by-default | | GDPR Art. 32 (Security of Processing) | Pen testing, vuln mgmt, IR plan | | HIPAA (BAA available) | Business tier + signed BAA | | FedRAMP (Low/Moderate) | Not currently certified; AWS GovCloud available on request |