KPI Fire Security Overview
At KPI Fire, we are committed to achieving and maintaining the trust of our customers. We strive to provide our customers with the most robust, safe and secure software that meets the security requirements of enterprise and government customers alike.
These policies relate to the main instance of KPIFire located at app.kpifire.com (Covered Services). The KPI Fire Service is operated in a multi-tenant architecture that is designed to segregate and restrict Customer Data access based on business needs. The architecture provides an effective logical data separation for different customers via customer-specific “Customer IDs” and allows the use of customer and user role-based access privileges. In some cases, and by customer request, KPIFire customers may be setup in a dedicated host environment, and in those instances additional security policies may be in place.
3. Security Plan
KPI Fire maintains a detailed security plan and policies that cover all of the summarized areas in this document as well as over 100 additional controls. These controls are designed to keep customer data safety, availability, confidentiality, and integrity intact. Customers can request review of the full security plan and policies.
4. Data & Data Ownership
Customers retain ownership of all data that you load into KPI Fire. You are welcome to download your data from the system at any time your account is active on your own. Or you can request an export of your data from our professional services team for a fixed fee or Time and Materials Rate. You can request that all of your data be deleted from our servers at any time.
5. Security Controls
The KPI Fire services includes a variety of customer configurable security controls that allow customers to tailor the security of the Covered Services for their own use: 1) User License Type 2) User Department 3)Record Level Access 4) File Storage Location Options 5) Single Sign On for customized access controls.
- Passwords: The KPI Fire application requires an 8 Character, 1 uppercase, 1 lowercase, 1 special character. If your organization requires additional controls, the Single Sign On option can be used in connection with your own Identity Management System.
- Access Control: Customers are responsible for configuring the settings that determine access to the KPI Fire application by User License Type, Department, and Record Level Access.
- Data Storage (Attachments): For increased control of documents in KPI Fire, Customer Admin user can control the “File /Link” setting to require all attachments be stored on the Customers Own network. This is a popular setting for customer concerned with HIPAA.
6. Data Encryption
The Covered Services use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer’s network and the Covered Services, including through Transport Layer Encryption (TLS) leveraging at least 2048-bit RSA server certificates and 128 bit symmetric encryption keys. Additionally, all data, including Customer Data, is transmitted between data centers for replication purposes across encrypted links utilizing AES-256 encryption.
7. Control of Processing
KPI Fire has implemented procedures designed to ensure that Customer Data is processed only as instructed by the customer, throughout the entire chain of processing activities by KPI Fire and its subprocessors. In particular, KPI Fire and its affiliates have entered into written agreements with their subprocessors containing privacy, data protection and data security obligations that provide a level of protection appropriate to their processing activities. Compliance with such obligations as well as the technical and organizational data security measures implemented by KPI Fire and its sub-processors are subject to regular audits.
8. Audits and Certifications
The following security and privacy-related audits and certifications are applicable: Infrastructure Tier 1 includes the physical access to servers, hardware, datacenters, is managed by AmazonWebServices and is covered by the following Audits or Certifications (SOC1, SOC2,SOC3, PCI, ISO2001, SSAE 18, ISO27001:27017:27018.) Application Tier 2 includes the Software Application and all access controlled by KPI Fire and is subject to regular automated audits by the Center for Internet Security AWS Foundations Benchmark, and NIST-800-171 Audit Framework Self-Attest. The Customer Tier 3 includes all customer granted access points including regular admin or user logins, API Access, and Single Sign On access. Customers are responsible for their own audit compliance for these areas. KPI Fire is willing to assist customers in meeting their own Audit requirement that relate to KPI fire such as Associated Business Agreements required with most HIPAA compliance, or requirements specific to GDPR.
9. Change Management
KPI Fire has an established processes for making changes to the software. All changes must be documented, approved, and tested. A change request ticket will be used to track the changes the risk, impact, test results, approvers, duration, change window, deployment , and backout steps. The change request document must be submitted and approved prior to normal changes. All changes go through deployment steps including testing on developer boxes, development environment testing, and staging environment automated & manual testing, and production deployment during scheduled windows. We reserve a standing maintenance window on Saturday afternoons 8-10PM (UTC-6) where changes can be made to production environments. These changes may require a server restart and may or may not be noticeable to most customers. Typical impact is less than 7 minutes if a server restart is required. Emergency changes may be executed and documented post implementation upon verbal approval from the Chief Information Officer.
10. Backups, Exports, and Business Continuity
KPI Fire has implemented an architecture that includes the Amazon RDS & S3 services that are highly available and provides daily backup of all items stored in the database as well as attachments uploaded to the KPI Fire servers. All of the items in KPI Fire are also exportable to CSV or Excel for customer who wish to hold their own backup copies of their data. For customers who choose to turn off the file upload feature to KPI Fire, all file attachments would be stored on your own networks & subject to your own backup processes.
11. Additional Information
This document is intended to provide a summary of the KPI Fire System Security Plan and Policies. If you are considering KPI Fire for an Enterprise or Government implementation and need a more comprehensive review, or have additional questions you can request a “Security Review” though your sales person or Account Manager.
Last Updated: Jan 1, 2020