Data Protection Measures

Last Updated: May 2024

Akeyless Security Ltd. Together with its subsidiaries and affiliated companies  (“Company,” “our” or “we”) is committed to being transparent with respect to the security measures which it has implemented in order to secure and protect its IT and data systems, including Personal Data (as defined under applicable data protection law, including without limitation, the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) (collectively “Data Protection Regulations”) processed by the Company for the purpose of providing its Services (as such term is defined in our Privacy Policy).

This Company’s Data Protection Measures outlines the Company’s security, technical and organizational practices.

As part of our data protection compliance measures, Akeyless is certified and being regularly audited, under ISO 27001 data security standard and ISO 27701 applicable for the security and privacy of personal data, as well as the System and Organization Controls (SOC2). As part of those efforts, we have implemented technical, physical and administrative security measures to protect our Customers’, Visitors’ and Customers’ employee’s Personal Data as explained below.

• Management Involvement and Overall Security Management
  Akeyless data security practices are anchored in a robust control environment, defined by a strong awareness and attitude towards internal controls from its management under the supervision of the board. Authority and responsibility are clearly defined and communicated through organizational structures and policies. Management, including the Company’s DPO and CISO, routinely assesses risks and compliance, emphasizing security and confidentiality. Human resources policies strengthen this framework, focusing on hiring competent personnel, providing necessary training, and ensuring compliance with security policies. The company’s management actively supports security-related activities, allocating adequate funding and resources.

• Risk Assessment and Mitigation
  Having a pre-defined clear and detailed risk assessment strategy is integral to Akeyless data security framework, focusing on identifying, analyzing, and mitigating risks that could impact its objectives and its services. This involves a thorough evaluation of information assets, threats, and vulnerabilities, both internal and external. The company employs a formal risk management program, continuously addressing information security risks through a variety of treatment options like acceptance, avoidance, mitigation, and transfer. Key decisions on risk treatment are documented and approved annually by management (as part of the ISO 27001 certification), ensuring that risk mitigation is effectively integrated into the company’s overall risk management strategy.

• Penetration Testing
  An external web application penetration test is conducted on a regular basis. Critical and High issues are investigated and resolved in a timely manner. High/Critical issues are investigated and dealt with in accordance with Akeyless SDLC process or by any necessary means. Following that, a re-test is performed to verify the remediation of the relevant issues.

• Access Control, User, and Permissions Management
  Akeyless implements stringent access control and user permissions management to ensure the security of its information assets. Access is strictly limited to what is necessary for an employee’s or contractor’s role, governed by group-based permissions aligned with job descriptions and responsibilities. Access permissions are regularly reviewed and approved. Akeyless enforces robust password standards, including requirements for character complexity and password history. Additional security measures include controlled system resource access, especially for higher privilege accounts, and enforced security settings on company laptops like encryption, and remote wipe capabilities. The company also has a prompt revocation process for user accounts upon job termination, further safeguarding against unauthorized access. Any remote access to Akeyless resources and data assets is regulated behind MFA mechanisms, in order to enforce and ensure stringent security measures.

• Production System Access
  Akeyless maintains rigorous access controls within its production environment to safeguard system integrity and data security. Access to the production environment is heavily restricted, with two-factor authentication, ensuring that only authorized personnel gain entry. For backup access, alterations and deletions are strictly controlled, accessible only to authorized users and again protected by two-factor authentication. The same level of security applies to source control and sensitive database access, ensuring robust protection against unauthorized changes or data breaches.

• Physical Access and Visitors
  Physical access to the offices is restricted to authorized personnel using a designated key-code or key. The premises are further protected through an alarm system and a 24/7 manned receptionist or guard at the entrance to the building. Visitors are required to be always accompanied by an Akeyless employee during their stay. Employees encountering an unfamiliar or suspicious person wandering around the office are expected to ask them politely about the nature of their business and if necessary, accompany them to their host. Visitors are not allowed to access or connect to Akeyless company’s network or equipment.

• Data Center Security
  Akeyless data center security is reinforced through its reliance on  well known major cloud services providers’ global infrastructure, which encompasses facilities, networks, hardware, and operational software. This infrastructure adheres to stringent security best practices and complies with various security standards and regulations, including ISO 27001, 27017 and 27018, and Soc2. The data processed by the Company as a Processor (as such term is defined under the GDPR) may be stored on any cloud of its customers’ choosing including, but not limited to, Amazon Web Services (AWS), Google Cloud Platform and Microsoft Azure. Please see AWS’s security measures here, Google Cloud Platform’s security measures here and Microsoft Azure’s security measures here.

• Application Security and SDLC
  Akeyless application security framework includes rigorous penetration testing to prevent unauthorized access to confidential information, with regular external tests and prompt resolution of critical issues. Akeyless also implements robust vulnerability management, conducting regular internal scans and quarterly production network scans, ensuring timely remediation of high-risk vulnerabilities, including in source code as part of the SDLC.

• Logical Security
  Akeyless employs a managed configuration system for server and patch management, maintaining hardened security settings across devices. This is complemented by endpoint protection on employee devices through the utilization of an EDR system, and restricted software installation, ensuring a secure and controlled application environment (i.e., generally, no admin authorizations at host-level). 

• Job Control
  All of the Company’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable data protection provisions binding them to comply with the Company’s policies, in particular the information security policy. In addition, employees undergo a screening process applicable per regional law. In the event of a breach of an employee’s obligation or non-compliance with the Company’s policies, the Company includes repercussions to ensure compliance with the policies all according to the Company’s Employee’s Secured Code of Conduct. 

• Employee Awareness and Training
  Akeyless places a strong emphasis on security awareness and training for all employees, recognizing the importance of understanding their information security responsibilities. This is achieved through the communication of security policies and guidelines, underpinned by the Akeyless security awareness program. A mandatory annual security awareness training program is in place for all employees. This training covers critical areas such as common security risks and threats, compliance with regulations, understanding of the Acceptable Use Policy, information security practices, data protection and customer privacy, laptop security, and awareness of social engineering tactics including fraud and phishing. 

• Encryption 
  Akeyless employs robust data encryption strategies to protect both data in transit and data at rest, enhancing its overall data security posture. For data in transit, the company ensures secure communication between its customers and company assets through the use of HTTPS with TLS 1.2 authenticated certificates as a minimum. All restricted information assets, such as databases and backups containing customer data, are encrypted at least at the disk level. Moreover, customer content stored at rest is automatically encrypted using multiple encryption mechanisms to protect customer’s secrets, in a layered encryption approach that ensures a high level of security for stored data, mitigating risks and enhancing customer trust. You can read more about that approach here. 

• Vendor Security and Management
  Prior to the Company’s engagement with third party contractors, the Company reviews such third party’s security posture to ensure it complies with the Company’s standard for data security protection. Third party contractors may solely access the Personal Data as explicitly instructed by the Company. Any relevant supplier is required to sign a DPA or an NDA in accordance with its processing operations on behalf of the Company. The Company reviews its vendors on an annual basis as part of its ISO 27001 certification. 

• Transfer Control
  Except for transfer of data as part of the utilization of our trusted third-party vendors, The Company does not transfer any Customer’s data outside of the Company’s production environment. Vendors are always managed under strict security compliance and audit, as elaborated above, and to the extent applicable, the Company’s business partners execute an applicable Data Processing Agreement, all in accordance with applicable laws. Destruction of Personal Data following termination of the engagement is ensured within the contract between the parties.
  
  Cross border transfer of Personal Data is managed in accordance with applicable law, as stipulated in Akeyless DPA, and Akeyless is certified under the Data Privacy Framework as detailed therein. 

• Availability Control
  The Company maintains backup policies and associated measures. Such backup policies include the constant monitoring of operational parameters, as relevant to the backup operations. Furthermore, the Company’s servers include an automated backup procedure. The Company also conducts regular checks with respect to the condition and labelling of data storage devices for data security. The Company ensures that regular tests are carried out to determine whether it is possible to undo the backup, as required and applicable.

• Data Retention
  Customer’s data is retained by Akeyless only to the extent needed for providing the Customer with services. Personal Data is retained for as long as needed to provide the services or as required under applicable laws. Individuals may request data deletion; however, this request is not absolute and is limited, all as detailed in the Company Privacy Policy. The management of Personal Data retention periods is governed under Akeyless Data Retention policy, under its ISO 27701 certification. 

• Compliance Programs
  The Company’s operations, policies and procedures are audited regularly to ensure that it meets all standards expected of it as a cloud system provider. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. The Company’s systems and Services were audited and verified under the ISO 27001 and ISO 27701 certifications and the System and Organization Controls (SOC). If you wish to be provided with such certifications and reports, please contact us at: [email protected].  

• Reporting A Security Issue
  The Company allocates considerable resources to ensure a secure code and infrastructure for all of its products. If you believe that you have found a vulnerability with respect to our security practices in any of our products, please report it to us immediately through our designated webpage available here. Please be sure to include a brief description, including detailed steps that we can take in order to reproduce the issue and explain to us what the impact of such issue might be.

• Responsible Disclosure Policy
  We encourage responsible disclosures of Personal Data, and we promise to investigate all legitimate reports and fix any issues as soon as we can. We ask that during your research you make every effort to maintain the integrity of any data you come across, avoiding violating the privacy of any person. Please provide us with a reasonable amount of time to fix any vulnerability you find before you make it public. In return, we promise to investigate reports promptly and not to take any legal action against you with respect to such reports.

In addition to and without derogating of our own compliance with privacy and security regulations, our customers remain responsible for their compliance with applicable compliance laws, regulations and privacy programs.