Legal — Data Security Policy

Security Policy – KAGR LLC

Last Updated: 9/13/2023

KAGR LLC (“KAGR”) is committed to securely and reliably maintaining in confidence Client Data and other Confidential Information that it receives from or on behalf of Client (collectively, “Client Information”). To meet this commitment, KAGR has implemented the following policies with respect to security and Client Information. Each Party will comply with the terms hereof. Capitalized terms used but not defined herein have the meanings ascribed to them in the KAGR Master Client Agreement, available at https://www.kagr.com/legal-master-client-agreement/ (the “Agreement”).

  1. Scope of Use of Client Information. KAGR obtains Client Information solely for the purpose of fulfilling KAGR’s contractual obligations to Client under the Agreement, and will Process and use Client Information in accordance with the Agreement and with applicable laws.
  2. Data Storage and Retention Policy. KAGR shall use reasonable efforts designed to ensure that Client Information in its possession is replicated and backed up in multiple reasonably secure locations, based on the nature of the information. To the extent required by Applicable Laws, Client Information shall be encrypted while at rest or in transit.  Client Information will not be kept for longer than necessary to fulfill KAGR’s contractual obligations to Client under the Agreement and KAGR will delete Client Information from KAGR systems within ninety (90) days of termination or expiration of the Agreement, unless (in each case) KAGR is required by Applicable Laws to retain certain information, or Client Information is used in anonymized form or in an aggregated format in accordance with the Agreement, or Client Information retained by KAGR in an archive on backup systems.
  3. Access to Client Information. KAGR stores Client Information in logically separated secure locations, and employs a role-based Client Information access and authorization procedure pursuant to which only those employees and/or consultants of KAGR who have a legitimate and documented “need to know” will have access to Client Information and only to the extent of such need. All access in the KAGR systems containing Client Information is logged.
  4. Platform Infrastructure. The KAGR platform resides on an externally hosted cloud infrastructure with access restricted in the manner described in Section 3 above to KAGR employees and consultants. Principally, KAGR leverages Amazon Web Services (AWS) for infrastructure hosting, which provides high levels of physical and network security. The physical, environmental, and infrastructure security protections with respect to such infrastructure hosting, including continuity and recovery plans, are subject to AWS’s security measures. You can read more about those security measures (including about any third-party certifications AWS supports) at AWS’s Compliance site at https://aws.amazon.com/compliance/?trk=9bc21f40-12f4-4d2b-8b8d-6f6f65ab19e6&sc_channel=ps&ef_id=CjwKCAjwq4imBhBQEiwA9Nx1BkNq208lYqL4cr1PUyWs4SVyKDxQCINUmRcsg42L4EKRjiR-dIVzMhoCNgoQAvD_BwE:G:s&s_kwcid=AL!4422!3!614802967437!p!!g!!amazon%20compliance!17954999002!141499696284.
  5. Security Incidents. As set forth above, KAGR takes reasonable technical and organizational measures designed to safeguard against any breach of security leading to unauthorized access to, and/or Processing of, and/or accidental loss, destruction, or damage to, Client Information (a “Security Incident”). Subject to any directions from law enforcement to the contrary, KAGR will notify Client promptly (and in no event more than 72 hours) after becoming aware of any Security Incident affecting Client Information, so that Client can fulfil any data breach reporting obligations it may have under Applicable Laws.  Such notice shall include (to the extent known by KAGR) reasonably detailed information regarding the nature and scope of the Security Incident, any reports submitted by KAGR to law enforcement related to the Security Incident, the cause of the Security Incident, and (to the extent such Security Incident was caused by KAGR’s acts or omissions) the measures being taken by KAGR to investigate, correct or mitigate such Security Incident. KAGR will further take reasonable and appropriate measures and actions to minimize the impact of the Security Incident (to the extent such Security Incident was caused by KAGR’s acts or omissions) and shall keep Client informed of all material developments in connection with the Security Incident to the extent known by KAGR. KAGR will provide reasonable assistance to, and shall reasonably cooperate with all reasonable requests of, Client to investigate and (to the extent such Security Incident was caused by KAGR’s acts or omissions) to mitigate and/or address such Security Incident.  KAGR agrees that, except to the extent required by Applicable Laws, any decision to notify data subjects or any governmental authority of the Security Incident shall be in Client’s reasonable discretion and no notice shall be sent by KAGR unless approved in advance by Client. KAGR will reimburse Client for all reasonable costs and expenses incurred by Client related to investigating a Security Incident to the extent such Security Incident was caused by KAGR’s acts or omissions.
  6. Audits – Promptly upon Client’s request, KAGR will provide Client with more detailed information regarding KAGR’s data security program.    KAGR will, upon Client’s reasonable prior written request, provide an independent and nationally recognized auditor (which auditor shall not be a competitor of KAGR or compensated on a contingency basis) with access to KAGR’s systems and records that involve or are related to any Processing of Client Information so that an audit may be conducted.  Client may not exercise such audit right more frequently than once per twelve (12) month period and Client will bear the full cost and expense of any such audit, provided that if such audit discloses a Security Incident, the auditor shall disclose all details of such Security Incident to KAGR, and, to the extent such Security Incident was caused by KAGR’s acts or omissions, KAGR will bear the reasonable costs and expenses of such audit and a further independent audit may be conducted within the then-current twelve (12) month period in Client’s discretion. No such audit shall be undertaken unless or until Client has requested, and KAGR has provided, information regarding KAGR’s data security program under this Section 6 and Client reasonably determines that such an audit remains necessary to demonstrate material compliance with the obligations set forth herein. Notwithstanding the foregoing, if KAGR provides Client with a current copy of its ISO 27000 (or substantially similar) certification performed by an independent nationally recognized auditor, such certification shall provide sufficient evidence that KAGR has a commercially reasonable security program in place, and Client shall not have the right to request a security audit of KAGR. In no event shall Client or any auditor have access to the information of any other client of KAGR and the disclosures made pursuant to this Section 6 (“Audit Information”) shall be held in confidence as KAGR’s Confidential Information and subject to any confidentiality obligations in the Agreement. Without limiting the generality of any provision in the Agreement, Client shall employ the same degree of care to safeguard Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Client shall be liable for any improper disclosure or use of Audit Information by Client, auditor or Client’s agents. Further, Client shall ensure that any third-party auditor under this Section 6 is bound by obligations of confidentiality broad enough to encompass Audit Information that are at least as protective thereof as the Agreement and this Section 6.
  7. User Login Protections – The KAGR platform login system enforces a uniform password policy which requires a minimum of 8 characters and a combination of lowercase letters, uppercase letters, numbers, and special characters. Client and KAGR platform users cannot change the uniform password policy. If KAGR recommends that users set up multi-factor authentication, Client will promptly so implement that recommendation. KAGR shall have no responsibility or liability arising out of Client’s failure to adopt any security settings recommended by KAGR (including without limitation multi-factor authentication).
  8.  KAGR Employee Agreements. Each KAGR employee has executed a agreement pursuant to which each employee is obligated to treat Client Information confidentially and in accordance with this policy.
  9. KAGR Corporate Security – KAGR enforces a commercially reasonable corporate password policy for its employees and contractors who have access to KAGR systems containing Client Information. That policy requires frequent changing of passwords, and a minimum password length and a combination of lowercase letters, uppercase letters, numbers, and special characters. KAGR prohibits account and password sharing by multiple employees. KAGR’s physical offices where Client Information is Processed are also secured in multiple ways. Security guards and video surveillance are employed. Door access is controlled using RFID technology tied to individuals, and which are automatically deprovisioned if lost or when no longer needed.

If you have any questions about this Security Policy, please e-mail security@kagr.com.