Legal — Data Security Policy

Security Policy – KAGR LLC

KAGR LLC (“KAGR”) is committed to securely and reliably maintaining in confidence client data and other confidential information that it receives from or on behalf of its clients (collectively, “Client Information”). To meet this commitment, KAGR has implemented the following policies with respect to security and Client Information.

  1. Scope of Use of Client Information. KAGR obtains and uses Client Information solely for the purpose of fulfilling KAGR’s contractual obligations to its clients, and will process Client Information strictly in accordance with its client agreements and with applicable laws.
  2. Data Storage and Retention Policy. KAGR ensures that Client Information is replicated and backed up in multiple durable and secure locations, based on the nature of the information. Client Information is encrypted while at rest using AES 256-bit encryption or in transit using TLS 1.2.  Client Information (processed or unprocessed) will not be kept for longer than necessary to fulfill KAGR’s contractual obligations to its clients. As such, KAGR will delete Client Information from KAGR systems within ninety (90) days of termination or expiration of the client relationship, unless it is required by law to retain certain information, or is retained by KAGR in an archive on backup systems.
  3. Access to Client Information. KAGR stores Client Information in logically separated secure locations, and employs a  role-based data access and authorization procedure pursuant to which only those employees and/or consultants of KAGR who have a legitimate and documented “need to know”  will have access to Client Information and only to the extent of such need. All access in the KAGR systems is logged.
  4. Platform Infrastructure. The KAGR platform resides on an externally hosted cloud infrastructure with secure access restricted in the manner described in Section 3 above to KAGR employees and consultants. Principally, KAGR leverages Amazon Web Services (AWS) for infrastructure hosting, which provides high levels of physical and network security. The physical, environmental, and infrastructure security protections, including continuity and recovery plans, have been independently validated as part of AWS’s SOC 2 Type II and ISO 27001 certifications. Certificates are available at the AWS Compliance site.
  5. Security Incidents. As set forth above, KAGR takes appropriate technical and organizational measures to safeguard against unauthorized access to, and/or processing of, Client Information, and against accidental loss, destruction, or damage to Client Information (a “Security Incident”). Upon becoming aware of a Security Incident, KAGR shall promptly notify Client and shall provide reasonable information and cooperation to Client so that Client can fulfil any data breach reporting obligations it may have under applicable data protection laws. KAGR shall further take reasonable and appropriate measures and actions to minimize the impact of the Security Incident and shall keep Client informed of all material developments in connection with the Security Incident. 
  6. User Login Protections – The KAGR platform login system enforces a uniform password policy which requires a minimum of 8 characters and a combination of lowercase letters, uppercase letters, numbers, and special characters. KAGR clients and KAGR platform users cannot change the uniform password policy. Users are also encouraged to set up two-factor authentication.
  7. KAGR Employee Agreements. Each KAGR employee has executed a comprehensive agreement pursuant to which each employee is obligated to treat Client Information confidentiality and in accordance with this policy.
  8. KAGR Corporate Security – KAGR enforces an industry-standard corporate password policy for its employees and contractors who have access to KAGR systems. That policy requires frequent changing of passwords, and a minimum password length and a combination of lowercase letters, uppercase letters, numbers, and special characters. KAGR prohibits account and password sharing by multiple employees. KAGR’s physical offices are also secured in multiple ways. Security guards and video surveillance are employed. Door access is controlled using RFID technology tied to individuals, and which are automatically deprovisioned if lost or when no longer needed.

If you have any questions about this Security Policy, please e-mail security@kagr.com.