Trust center

At Kuona, we know your data is one of your most valuable assets. That's why we're committed to the highest standards of security, privacy, and transparency—so you can focus on growing your business with confidence.

ISO 27001

International standard for information security management.

GDPR

European regulation for data privacy and protection.

Security Pilars

Built on a foundation of security best practices

We apply security controls at every level—from infrastructure and applications to internal processes and people. These pillars show how Kuona protects your data, ensures compliance, and helps you operate with confidence.

Product Security

(MFA) Multifactor Authentication

Multiple forms of verification are required, such as passwords and authentication codes, to access your systems and applications. This adds an extra layer of protection, ensuring that only legitimate users can interact with the product, reducing the risk of unauthorized access.

Audit Logs

All activities and events within your systems and applications are logged. These logs enable [tracking changes, detecting anomalies, and ensuring product integrity], facilitating the identification and resolution of security issues, and ensuring compliance with regulations and quality standards.

Team Permissions

Specific permissions are assigned and managed for each user or work group. This ensures that only authorized personnel can access or modify critical product components, protecting system integrity and security against unauthorized changes and potential vulnerabilities.

Data Security

Physical security

Various access controls are implemented, such as surveillance cameras, activity logs, and authentication systems that ensure only authorized personnel can access areas where sensitive data is stored, protecting the integrity and confidentiality of information.

Activated backups

Access monitoring

Management and tracking of access provisioning and deprovisioning to assets used by the company during new staff onboarding, normal operations, and staff departures. Ensuring that only authorized users can interact with sensitive data.

Company Security

Internal auditing

Periodic reviews of your processes and security controls are conducted. These audits identify vulnerabilities, verify compliance with internal policies and regulations, and propose improvements, ensuring the effectiveness of security measures and the continuous protection of the organization's assets and information.

Incident management

Clear procedures are established to detect, respond to, and quickly recover from security incidents. This includes threat identification, effective communication, and damage mitigation, ensuring operational continuity and protection of the organization's critical information.

Staff training on information security introduction

Initial training is provided on secure practices, handling sensitive data, and threat detection. This ensures that employees understand their role in protecting information, reducing risks, and strengthening the organization's security posture.

Asset review

Periodic inventories and assessments of your physical and digital assets are conducted. This enables identifying vulnerabilities, ensuring protection of critical data, and guaranteeing that resources are properly managed, contributing to better organizational security and resilience.

Social engineering

Staff are trained and educated on social engineering through real tests to recognize and avoid manipulation and fraud attempts. Strict verification policies are implemented and awareness of deceptive techniques, such as phishing, is promoted, ensuring that employees are prepared to protect sensitive information and minimize security risks.

Risk Management

Possible threats to your operations and assets are periodically identified, assessed, and prioritized. Mitigation strategies and contingency plans are implemented to reduce the probability and impact of incidents, ensuring business continuity and protection of your critical resources.

Staff Leaked Credentials Monitoring

Tools are used to detect compromised credentials on the web. Employees are alerted and password changes are enforced, preventing unauthorized access and protecting the integrity of the organization's systems and data.

Infrastructure Security

Cloud Services

Robust access controls, data encryption, and constant activity monitoring are implemented on AWS. These measures protect the cloud infrastructure against unauthorized access, data loss, and cyber threats, ensuring the integrity and availability of hosted resources and services.

Business Continuity Plan

Strategies and procedures are developed to maintain critical operations during and after a disruption. This includes data backup, disaster recovery, and system redundancy, ensuring the company can continue operating and minimizing impact in case of unforeseen incidents.

Disaster Recovery Plan

Procedures are established to quickly restore critical systems and data after a disaster. This includes regular backups, alternative recovery sites, and response teams, ensuring operational continuity and minimizing losses and downtime in the face of catastrophic events.

Application Security

Cloud (AWS) Server Monitoring

AWS cloud server security configurations are continuously monitored. This enables detecting anomalies, preventing security breaches, and ensuring that hosted applications remain protected against threats, guaranteeing their availability and integrity.

Business Suite Monitoring

The enterprise management platform, Google Workspace, is continuously monitored. This ensures proper parameter configuration and protects data integrity, guaranteeing that critical business applications operate securely.

Network Security

DKIM configuration monitoring

Email integrity and authenticity are regularly verified through cryptographic signatures. This ensures that emails are not altered during transit and come from legitimate sources, protecting against identity spoofing and ensuring trust in email communication.

SPF configuration monitoring

SPF records are regularly reviewed and updated. This ensures that only authorized servers can send emails from your domains, protecting against spoofing and improving email security by preventing forged messages from reaching recipients.

Network penetration testing

Controlled attacks are simulated through Penetration Testing to identify vulnerabilities in systems. These tests enable discovering weak points, evaluating the effectiveness of existing security measures, and improving protection against potential cyberattacks, ensuring a more secure and robust network.

DMARC configuration monitoring

Our DMARC policy is constantly monitored and adjusted. This protects against phishing and domain misuse, ensuring that only legitimate emails are sent from your domains, improving authenticity and security in email communication.

Privacy

General Data Protection Regulation (GDPR)

Data Processing Agreement (DPA)

Documents

ISMS Policy

ISMS Scope

IS Structure

Information Security Policy

Information Security Committee Policy

Personal Data Anonymization Procedure

Information Processing Policy

Roles and Responsibilities Description

Information Security Plan

Training Program

Security Awareness Workshop

Risk Management Workshop

Risk Management Methodology

Asset Inventory

Risk Matrix

Statement of Applicability

Security Committee Meeting Minutes

Staff Preselection and Selection Procedure

Staff Hiring and Termination Process

SOD Matrix

Role-Based Access Matrix

Access Management Procedure

Access Review Procedure

BYOD Policy | Bring Your Own Device

Clean Desk Policy

IT Technology and Operations Policy

Security Incident Management Procedure

Backup Management Procedure

Production Change Management Procedure

Public and Private Key Management Procedure

Log Management Policy

Log Management Procedure

Vulnerability Management Procedure

Infrastructure Diagram

Disaster Recovery Plan

Continuity Plan

Secure Development Policy

Development Lifecycle Methodology

Security Guide for System Development and Maintenance

Information Processing Policy

Removable Media Information Transfer Procedure

Ethical Hacking + Vulnerability Scanning

Vendor Assessment Matrix

Legal and Contractual Requirements Assessment Matrix

Layered Security Policy

Continuity Test

ISMS Communication Plan

Information Security Indicators Methodology

Metrics and Indicators List

Audit Plan and Program

Corrective and Improvement Actions Procedure

Ethical Hacking + Vulnerability Scanning Remediations

Evidence of Implemented ISO 27002 Controls

ISMS Internal Audit

Corrective and Improvement Actions Treatment Plan

Secure Development Training

Validate IS requirements in contracts with employees and vendors

Threat Intelligence Management Procedure

Personal Data Anonymization Procedure

Vendor Review and Contracting Procedure

Hardening Documentation

Have questions about security or compliance?

Our team is here to provide documentation, support due diligence requests, or walk you through our security practices.

Contact our security team