Uku's Security Policy
Security Policy
With security at the core of Uku, your data is safe. Information is encrypted in transit, stored securely in enterprise-grade cloud servers and major data protection regulations are adhered to.
Servers Compliance & Certification
Uku servers run on Akamai Cloud Computing based on Linode located in Frankfurt, Germany. These data centres include state-of-the-art physical and environmental access controls in highly secure environment (certified to ISO 27001) and safety features including:
- 24/7 professional security staff, video surveillance, and intrusion detection systems;
- Fire detection and suppression, redundant electrical power systems, and uninterruptible power supply (UPS);
- Monitoring of electrical, mechanical, and life support systems and equipment.
Server compliance regulations:
- ISO/IEC 27001:2013
- PCI Data Security Standard (PCI DSS)
- EU-US Privacy Shield and Swiss-US Privacy Shield
- EU General Data Protection Regulation (GDPR)
https://www.linode.com/legal-compliance
Data Security & Encryption
All connections to Uku are using TLS 1.2 transport layer security where all data is encrypted with the SHA-2 (SHA-256withRSA) encryption and passwords are encrypted with SHA-512 cryptographic hashing algorithm using also a random Salt. System controls have been implemented to prevent cross site scripting and SQL injection attacks.
Application Security
Access to Uku’s servers environments is strictly restricted to trusted IP addresses and only to lead technical personnel. The firewall used on our servers is UFW. By default connections to all ports are denied, only the ports necessary for the application to operate are allowed to access (HTTP, HTTPS). SSH connection to the server can only be established from certain IP addresses and only with private keys. Password access to the servers is denied to all users.
Testing and Staging environments are logically separated from the Production environment. The access to deployment service is restricted to the parties necessary.
To keep passwords and keys secure, the information is stored using AES-256 for symmetric encryption and RSA 2048 for asymmetric / public key encryption in trusted password management service. The access to the password service is restricted to the parties necessary.
Product Security Options
Access to Uku is connected to a user’s email account. Multi or two-factor authentication is supported by Google or Azure AD (O365) accounts;
All users must be invited to join a tenant and accept that invitation before they can access any tenant data.
Ukus’s security policies and features are designed to keep documents and transactions bank-level secure. Should the client need additional security customizations to match the company’s policies, Uku can offer additional security upgrades, including:
- Authentication only via Google account;
- Authentication only via Azure AD (O365) account;
- Enterprise level client database to be hosted on separate server (additional fee)
Availability & Continuity
Uku has support & operational staff available on call every work day. In the event of an unscheduled outage, business continuity and disaster recovery procedures are initiated to maintain continued business operations and system performance.
System vulnerability assessments and internal security controls have been implemented to identify security vulnerabilities and reduce the risk of exposure to common cyber attacks.
Our incident management process ensures we rapidly respond to security events that may affect the integrity or availability of the Uku platform and the data stored within it. Events that affect customers are given the highest priority.
Reliability & Backups
Solution and work processes are designed for 24h RTO and 24h RPO.
Regular automated server backups prevent any data loss. Database backups are done once a day.
Security Audits
Uku framework has received OWASP ASVS 2.0 security audit from an independent security company that conducts security audits as well as static and dynamic analysis scans.
Internally, security audits are regularly performed by a security team under the supervision of the Board of the company. Each IT employee receives regular security training, and all updates and new features are scanned for security as security testing is integrated into the application development lifecycle.
Credit Card
Uku does not store any credit card information on its servers. Payments are processed by a PCI Data Security Standard (PCI DSS) Level 1 provider. All subscriptions are processed by Braintree, a PayPal service. PCI Data Security Standard (PCI DSS) ensures companies that process, store or transmit credit card information maintain a secure environment.
Privacy Principles
Uku respects its user’s privacy and applies necessary data protection safeguards to prevent data breaches and to provide privacy-related rights.
Uku only collects the personal data necessary for the purpose of providing its services and to do it with high quality. All personal data is deleted after it is no longer necessary for client relations and services.
You can always ask questions and request your rights according to GDPR (data deletion, portability, access, rectification etc.) by contacting Uku at info@getuku.com.
