Karbon Security, Availability, Confidentiality, and Privacy Practices

Last Updated: 22 May 2020

1. Security

1.1 Tenant Security

Karbon is a multi-tenanted system. Each customer account has a unique identifier that is used across the entire platform to identify data owned by that account. Once a tenant identifier has been issued, it cannot be re-issued. All tenants are currently stored in the same deployment environment. Network and database layer controls are in-place to prevent a user in one tenant accessing another tenant’s data. Database layer controls ensure all user and tenant match for all service requests which create, modify or access.

Note: Single tenant environments are available at additional cost. For more information, contact our customer service team.

1.2 User Security

All users within a tenant must be invited to join a tenant and must accept that invitation before they can access any tenant data. Invitations sent to new users expire if not accepted within 7 days of the invitation being sent. Users can only be invited into a tenant by an existing user within the tenant.

When a new user account is activated in Karbon, the user must authenticate, themselves, against one of the authentication providers available within the Application. Karbon supports 3 user authentication providers:

1. Google
2. Microsoft Office 365 (Exchange online)
3. Hosted Microsoft Exchange

A selected authentication provider is recorded for the user, and all future login attempts, to Karbon and require the user to authenticate using the same authentication provider. Karbon can be configured to work with a Single Sign On (SSO) providers, such as Okta. Once the initial user invitation has been accepted and the user account activated, the user’s authentication credentials can be added to the SSO provider and the login completed.

Users access to the Application can be granted or removed by a user(s) with administrative access privileges within the tenant. Customer's are granted an initial administrative account, which can be used to grant or remove access to their Application environment. Once access is granted to a user, access permissions within the system can be assigned to allow for full or limited access within the system. Upon removal of access, the removed user’s profile is archived and all work items assigned to them are re-assigned. It is possible to “unarchive” a previously removed user.

Customer's are responsible for the following to maintain the security of the Application:

• Selection of authentication provider for individual user accounts
• Configuration of password constraints associated with the selected authentication provider
• Protection of user account and password credentials
• Protection of initial administrative account user account and password credentials
• Creation, removal, and management of user accounts and access permissions within the Application

1.3 Network Security

The information technology (IT) infrastructure supporting the Karbon network and the Application are hosted within cloud-hosted infrastructure environments. The physical IT infrastructure is stored ad managed within data centers owned and managed by the cloud service provider. The cloud service provider undergoes regular security assessments/examinations to evaluate the effectiveness of logical and physical security controls implemented to protect these infrastructure resources. Management monitors these assessment reports to assess any risks presented to Karbon and the Application.

IT network resources supporting the Application are configured with security controls that prevent unauthorized access to the Karbon IT environment, including user access controls, firewall security, encryption technologies, etc. The Karbon platform enforces Transport Layer Security (TLS) encryption on all requests sent between user client and server connections. In addition, system hardening and malware protection have been implemented to facilitate the prevention of malicious software infection within the IT network.

System vulnerability assessments and internal security controls have been implemented to identify security vulnerabilities and reduce the risk of exposure to common cyber attacks, such as cross site scripting SQL injection attacks, etc. Monitoring tools and processes are also in place to ensure any denial of service (DoS/DDoS) type attacks are identified and effectively responded to.

Access to Karbon’s deployment environments is strictly controlled. Only Karbon staff with the need to monitor and maintain the Karbon deployment environments are given access, only for the specific services they need to access. In the event of an access or information security breach affected customers will be notified.

1.4 User and File Restrictions

There are no limitations to the number of users in a tenant and no limit to the transactions a user can perform. Files larger than 50MB cannot be uploaded to Karbon. Executable files are prevented from being uploaded.

1.5 System Change Management

Management has implemented change management technologies and processes to perform secure and structured software development and system change activities.

2. Software Releases and Updates

Our software development and management teams are continuously working on the Application to improve functionality and security. Changes to the software are continuously performed. In addition, management will implement software releases that include multiple changes to the software. Software releases are communicated to system users to communicate the details of the release changes or updates. All scheduled Karbon releases are performed outside 8 am - 6 pm AEST (and AEDT during daylight savings). Release notes can be found within Karbon’s published Release Notes web-page (https://karbonhq.com/release-notes).

3. System Auditing

The following management practices are periodically reviewed for effectiveness and improvement:

1. All user actions that create, modify, or remove data in Karbon are audited. The audit records identify:
   1. What action was performed
   2. What data was created, modified or removed
   3. Who performed the action
   4. When the action was performed
2. These audit records are retained for 14 days and can be provided to customers upon request, with the authorization of Karbon management. User visible auditing is available for some functionality in Karbon, specifically:
   1. Assignment and re-assignment of work, tasks, notes and emails
   2. Completion of tasks
   3. Deletion of work
   4. Deletion of contacts

When these actions are performed by a Karbon user, the record of this action is visible to other Karbon users in the same tenant.

4. Information Security Management System

We have implemented an Information Security Management System (ISMS), in accordance with the requirements set out in ISO 27001. However, we have not been independently certified ISO 27001 compliant. Our information security controls are implemented across both our technical solutions and management practices. Karbon complies with Australia federal and state data security laws, and the Australian Privacy Principles (APP). In addition, Karbon will actively pursue compliance certifications to demonstrate our value of security, availability, confidentiality, and privacy expectations (e.g. SOC certification, ISO27001, GDPR, etc.).

5. System Availability

5.1 Data Backups

Karbon data is stored across multiple databases and file stores. Data and audit logs, for all databases, are backed up on a regular frequency. Full backups are performed every gigabyte of growth or each week — whichever is sooner. Additionally, if the log chain is broken at any point, a full data backup is performed. Backups are stored in cloud storage locations, and all backups are encrypted and retained in accordance with defined retention requirements, as established by management for business and compliance purposes.

Note: It is not currently possible for customers to perform their own data backups; however, the Application includes functionality to enable customers to export data from Karbon.

5.2 System Monitoring

Automated monitoring and alert systems are in place for performance and availability monitoring. In addition, management and IT personnel perform periodic meetings, discussions, and evaluations of system performance to support proactive and responsive system monitoring activities for the Application and its supporting IT infrastructure.

5.3 Business Continuity and Disaster Recovery

System monitoring technologies are configured to automatically send alerts to Karbon system administrators when system availability issues are identified. These alerts are investigated, analyzed and worked for resolution to maintain the availability of the system’s operation.

In the event of an unscheduled outage, business continuity and disaster recovery procedures are initiated to maintain continued business operations and system performance. Karbon management has documented Business Continuity and Disaster Recovery policies and plans to define procedures performed by Karbon personnel to support continued operations in the event of a service outage or disaster situation. In addition, Karbon has operational support staff available on call 24 hours a day. Processes are in place to resolve availability issues that arise from a problem within Karbon. If there is a complete loss of service, due to a catastrophic failure in the cloud hosting environment, the Karbon Application can be restored within 24 hours of the cloud hosting environment’s restoration of operations. In the event of less serious service issues that arise in the cloud hosting environment, a faster response time will occur.

6. Data Confidentiality

As mentioned above, the information technology infrastructure supporting the Karbon Application are hosted within cloud-hosted infrastructure environments. All data collected by the Application is stored in data centers owned and managed by the cloud service provider, which have implemented their own security technologies and processes that protect the confidentiality of data stored by the application. Access to product databases is strictly controlled and only users with a need to access production data for customer support or problem resolution have access. Access to production databases is also restricted to allow access only from trusted IP addresses. Data collected and stored by the Application are encrypted in-transit and at-rest. In addition, confidential/sensitive data is encrypted/masked within the Application database.

7. Data Privacy

We have published the our Privacy Policy (https://karbonhq.com/privacy-and-legal) to communicate information related to the consent, collection, use, access, retention, disposal, and disclosure of personal information collected, used, and stored by the Application.

8. Terms of Use

Please reference our published Terms of Use (https://karbonhq.com/terms-of-use) for the Karbon Application to understand service commitments made by Karbon management and user requirements associated with the use of the Application.