Legal — Data Security Policy

Security Policy – KAGR LLC

Last Updated: 10/13/21

KAGR LLC (“KAGR”) is committed to securely and reliably maintaining in confidence client data and other confidential information that it receives from or on behalf of its clients (collectively, “Client Information”). To meet this commitment, KAGR has implemented the following policies with respect to security and Client Information.

1. Scope of Use of Client Information. KAGR obtains and uses Client Information solely for the purpose of fulfilling KAGR’s contractual obligations to its clients, and will process Client Information strictly in accordance with its client agreements and with applicable laws.
2. Data Storage and Retention Policy. KAGR ensures that Client Information is replicated and backed up in multiple durable and secure locations, based on the nature of the information. Client Information is encrypted while at rest using AES 256-bit encryption or in transit using TLS 1.2.  Client Information (processed or unprocessed) will not be kept for longer than necessary to fulfill KAGR’s contractual obligations to its clients. As such, KAGR will delete Client Information from KAGR systems within ninety (90) days of termination or expiration of the client relationship, unless it is required by law to retain certain information, or is retained by KAGR in an archive on backup systems.
3. Access to Client Information. KAGR stores Client Information in logically separated secure locations, and employs a role-based data access and authorization procedure pursuant to which only those employees and/or consultants of KAGR who have a legitimate and documented “need to know” will have access to Client Information and only to the extent of such need. All access in the KAGR systems is logged.
4. Platform Infrastructure. The KAGR platform resides on an externally hosted cloud infrastructure with secure access restricted in the manner described in Section 3 above to KAGR employees and consultants. Principally, KAGR leverages Amazon Web Services (AWS) for infrastructure hosting, which provides high levels of physical and network security. The physical, environmental, and infrastructure security protections, including continuity and recovery plans, have been independently validated as part of AWS’s SOC 2 Type II and ISO 27001 certifications. Certificates are available at the AWS Compliance site.
5. Security Incidents. As set forth above, KAGR takes appropriate technical and organizational measures to safeguard against unauthorized access to, and/or processing of, Client Information, and against accidental loss, destruction, or damage to Client Information (a “Security Incident”). Subject to any directions from law enforcement to the contrary, KAGR will notify client promptly (and in no event more than 72 hours) after learning of any actual or suspected Security Incident involving such client’s information, so that client can fulfil any data breach reporting obligations it may have under applicable data protection laws.  Such notice shall include detailed information regarding the nature and scope of the Security Incident, any reports submitted by KAGR to law enforcement related to the Security Incident, the actual or suspected cause of the Security Incident, and the measures being taken by KAGR to investigate, correct or mitigate the Security Incident, the Security Incident. KAGR will further take reasonable and appropriate measures and actions to minimize the impact of the Security Incident and shall keep client informed of all material developments in connection with the Security Incident that relate to client’s information. KAGR will provide reasonable assistance to, and shall cooperate with all reasonable requests of, client to investigate and mitigate any Security Incident involving such client’s information.  KAGR agrees that, except to the extent required by applicable law, any decision to notify data subjects or any governmental authority of the Security Incident shall be in the client’s reasonable discretion and no notice shall be sent by KAGR unless approved in advance by the client. KAGR will reimburse client for all reasonable costs and expenses incurred by the client related to investigating a Security Incident involving such client’s information.
6. Audits – Promptly upon a client’s request, KAGR will provide client with more detailed information regarding KAGR’s data security program.    KAGR will, upon a client’s request, provide an independent and nationally recognized auditor with access to KAGR’s systems and records that involve or are related to any processing of Client Information so that an audit may be conducted.  Client may not exercise such audit right more frequently than once per twelve (12) month period and the client will bear the full cost and expense of any such audit, unless such audit discloses a Security Incident, in which case the auditor shall disclose all details of such Security Incident to KAGR, KAGR will bear the reasonable costs and expenses of such audit and a further independent audit may be conducted within the then-current twelve (12) month period in the client’s discretion. Notwithstanding the foregoing, if KAGR provides client with a current copy of its ISO 27000 (or substantially similar) certification performed by an independent nationally recognized auditor, such certification shall provide sufficient evidence that KAGR has a commercially reasonable security program in place, and client shall not have the right to request a security audit of KAGR.
7. User Login Protections – The KAGR platform login system enforces a uniform password policy which requires a minimum of 8 characters and a combination of lowercase letters, uppercase letters, numbers, and special characters. KAGR clients and KAGR platform users cannot change the uniform password policy. Users are also encouraged to set up two-factor authentication.
8.  KAGR Employee Agreements. Each KAGR employee has executed a comprehensive agreement pursuant to which each employee is obligated to treat Client Information confidentiality and in accordance with this policy.
9. KAGR Corporate Security – KAGR enforces an industry-standard corporate password policy for its employees and contractors who have access to KAGR systems. That policy requires frequent changing of passwords, and a minimum password length and a combination of lowercase letters, uppercase letters, numbers, and special characters. KAGR prohibits account and password sharing by multiple employees. KAGR’s physical offices are also secured in multiple ways. Security guards and video surveillance are employed. Door access is controlled using RFID technology tied to individuals, and which are automatically deprovisioned if lost or when no longer needed.

If you have any questions about this Security Policy, please e-mail security@kagr.com.