Security at Kinde

Kinde takes security threats very seriously as the integrity, confidentiality, and availability of our systems potentially impact our customers. If you have detected a security threat or vulnerability against Kinde systems or personnel, please reach out to your account manager or to the security mailing group at security@kinde.com.

Availability

Kinde production services are designed to be resistant to failure with multiple frontend servers and replicated backend databases. Currently, all frontend and backend services are being run from the AWS Sydney and Oregon regions across multiple availability zones for redundancy.

Disaster Recovery

Kinde will be performing a disaster recovery test in the near future to ensure that services can be recovered from a catastrophic failure. RTO and RPO metrics will be documented publicly for customers once the test has been completed.

Encryption for Data at Rest

All customer data at rest is encrypted in the Kinde production databases using the industry standard AES256 encryption algorithm. Encryption is facilitated by AWS KMS with access to administer KMS strictly limited to privileged admins.

Encryption for Data in Transit

All network traffic to Kinde production services uses TLS 1.2 or greater with a limited set of modern secure ciphers enforced. Security headers are applied to all production endpoints where possible.

External Audit

Currently Kinde has not conducted an external third party audit based on industry recognized frameworks such as Cloud Security Alliance STAR, SOC2, or ISO27001. From the beginning, Kinde has strived to embed consistent and modern security and privacy best practices throughout the business across all departments and disciplines. The company’s initial security strategy is based off the Cloud Security Alliance’s STAR framework and is currently working with a security partner to prepare for our first SOC2 audit and attestation.

Identity Management

Internal identity is generally managed through the company’s single sign-on (SSO) platform provided by Google Workspace. All systems are connected to the company SSO platform where supported. Multi-factor authentication is enforced for all users, audit logs are enabled and monitored for systems connected to the company SSO. For systems that do not support SSO, employees are required to use the company provided password manager to generate and manage secure credentials as well as enable MFA for added protection.

Access to systems is based on the employee’s job role with the least privileges assigned. Privileged access to any system is strictly limited based on the employee’s job role and accounts are individual to that user only.

Penetration Testing

Kinde has completed a network and web application penetration test conducted by Strike, which was scoped for anything and everything related to Kinde. The test included common OWASP techniques and specifically targeted workflows such as privilege escalations, authentication bypasses, and cloud security. We intend to perform these at least annually.

Security Awareness

All employees take part in a security onboarding session during their first week that covers topics such as acceptable use, phishing, data privacy, identity, endpoint protection, data classification, and incident response.

Software Development Lifecycle

All Kinde source code is managed by a company managed source code repository. Source code is scanned using a suite of open source tools provided by the golangci-lint, in particular gosec and nancy, which will alert on insecure coding that could lead to vulnerabilities. Access to the source code repository is restricted based on job role with the identity linked to the company single sign-on platform. Merges to source code require a peer review. Pull requests to the master branch are performed by senior engineers.

Vulnerability Management

Production services are deployed through a CICD pipeline using container technology. Server builds are done at least once a week and replace the existing servers. The build process will use the latest patched container host and container image to reduce the risk of vulnerabilities due to unpatched software.

All container images are scanned at build using AWS Inspector for dependencies and third party library vulnerabilities. External production URLs and any public facing cloud IP addresses are scanned weekly for vulnerabilities by Intruder. All vulnerability reports are triaged, analysed, and assigned to the engineering team for remediation based on vulnerability management SLAs.

Get more support

See Kinde in action

Find out what Kinde can do in a live demo with one of our experts.

Book a demo

Talk to us

If you can’t find what you’re looking for in our help center - email our team. We’d love to hear from you.

Contact support
Talk to us