Security

For CIOs

Overview

This overview applies to the products, services, websites and apps offered by KaizApp AG. KaizApp® is a registered trademark of KaizApp AG, a company registered in Switzerland with offices at Rathausstrasse 7, 6341 Baar, Zug, Switzerland. Company registration is CHE-483.840.519.

 

KaizApp values the trust our customers place in us by letting us act as custodians of their data. We take our responsibility to protect and secure your information most seriously and strive for transparency around our security practices outlined below. Our Privacy Policy outlines the ways we handle your data.

 

As such we operate a policy of disclosure in relation to security.  Keeping our customers’ data protected at all times is our highest priority.  We operate a policy of continuous security improvement.  This security overview provides a high-level introduction to KaizApp® for CIO’s and an overview of the security practices at KaizApp AG.

 

Introduction to KaizApp®

KaizApp® is a digital platform for enterprise wide performance improvement and is provided as Software as a Service (SaaS) for use by every employee of clients and by consultants.  KaizApp® is used for the digital transformation of performance improvement to deliver (1) greater financial returns, (2) support collaboration on improvement and (3) to accelerate the development of improvement capability.  KaizApp® places a standard end to end performance improvement process in the pocket and/or on the desktop of every employee.  It enables teams to run complete improvement projects within the app, including the ability to:

  • Capture improvements, problems, actions, objectives, images, PDF’s and video
  • Innovate efficiently to find solutions
  • Implement solutions and iterate
  • Manage large numbers of Actions easily
  • Replicate best practices across sites
  • Easily translate operational improvements into business cases
  • Set targets and objectives and see results in Financial and KPI terms
  • Share the KPI’s and financial impacts of improvements across the enterprise
  • Operate PMO style financial tracking of improvements (without use of Excel)
  • Keep everything related to improvements in one place
  • Collaborate remotely to develop improvements and solve problems
  • Coach team members in structured improvement thinking; including remotely
  • Present improvements from KaizApp® (without use of PowerPoint)
  • Reduce use of incumbent applications (Powerpoint, Excel, Word, WhatsApp and other social media applications, email, drives)
  • And much more…

 

KaizApp is great for transformation, performance improvement, continuous improvement, operational excellence, and as part of lean ways of working.

 

Features

For simplicity, all features are available on all price plans.

 

Benefits for improvers:

  • Up to 50% more financial improvements
  • Up to 20% productivity improvement
  • Faster learning
  • An extensive array of collaboration and capability development benefits

 

The benefits achieved depend on the maturity of operations, user training and proficiency, employee improvement skills, extent of adoption of KaizApp® features, quality of improvement leadership and many other factors. Commonly, the payback period on KaizApp investment and adoption is less than 12 months.

 

KaizApp® – understanding why (basic)

Incumbent applications are unsuitable for performance improvement.  If you map the media and applications for performance improvement at each level in your organisation you will typically find that ‘coal face’ employees rely on paper, paper posters, white boards and social communication applications, action lists, and even post-it notes. In contrast, senior employees rely on PowerPoint, Excel, Word, email and BI warehouses for performance improvement.  At mid levels, managers tend to draw on both sets of media and applications.

 

Given that managers tend to prioritise their time reactively on the basis of most urgent needs, such a complex media and application landscape tends to minimise performance improvement progress. These various media and applications serve as data islands and are simply not designed nor intended for performance improvement.  Each addresses an aspect of improvement but fragments the flow of improvement data, activities, communication and collaboration. The result is a loss of speed, flow, capacity and benefit delivery.  Managers tend not to be aware of these inefficiencies, mainly because of familiarity; having ‘grown up’ with said applications.

 

KaizApp® revolutionises performance improvement enterprise-wide, with a single digital platform. Employees collaborate seamlessly to deliver more improvements, more quickly. KaizApp® makes light work of progress reporting, financial progress tracking, presentation, actions management, business & project KPI tracking, objectives, know-how search, and so much more. KaizApp® allows all improvements to exist on a single platform supporting ‘everything in one place’, retained and searchable forever, even after employees exit.  The value generation opportunity provided by KaizApp is very large.

 

KaizApp® will reduce usage of incumbent applications, particularly Excel, PowerPoint, social media communicators, email, paper, server storage and many others.  It depends on your context as to whether there will be software licence fee savings.  There will be a financial return on investment for KaizApp adoption driven by increased performance improvement productivity, collaboration, increased skills, replication, and many other factors.

 

Digital transformation of performance improvement is low risk and high reward

Performance improvement is one of the most straightforward enterprise processes to digitise since it presents no direct risk to the day to day delivery of customer value.  Users quickly appreciate the integration of improvement information, with increased collaboration and engagement up and down organisation levels and across teams and locations.  Everything in one place brings large time and capacity improvements.  By way of its design, KaizApp® facilitates a culture of focusing improvement activity on performance improvements with the greatest financial returns.  Use of KaizApp® accelerates learning and strongly supports development of employee improvement skills and capabilities.

 

Data Capture in KaizApp®

Much of the data that will be captured in KaizApp® is likely to be partially recorded in incumbent applications but in a fragmented way and with many gaps.  The main difference is that KaizApp makes the capture of improvement information convenient: (i) captured on the fly on any device (ii) everything in one place, (iii) recorded directly into a meaningful structure for both coaching and replication by others (even decades later), (iv) immediately presentation ready.  Consequently more data is captured and in a manner reusable by others and in the future. This results in a myriad of benefits.  Contact us to discuss in more detail.

 

28-Day Free Trial and Licenses

All accounts are first created at www.kaizapp.com. KaizApp AG will provide a unique Invitation Code for the Account Owner to use during account creation which will trigger a free trial period of 28 days and the possibility of a paid user license to follow. 

 

Sign-up

Sign-up any time with a business email address to access KaizApp® on your domain.  For security reasons, KaizApp® access is only available to reputable organisations that have identified themselves.  The sign-up process is fast, typically about 30mins and does not require any technical skills. For example any manager should be able to do this in less than 1 hour for a first 10-20 users.  This process will work better where IS onboarding has been completed for each user in advance.

 

Adding Employees to KaizApp

Employees can only be added to KaizApp by invitation from within your account and each must have an e-mail address of a domain registered within your account.

 

Pilot KaizApp

The best approach to a trial is short and intense (approximately 3-5 days) and led by a determined yet polite manager, to ensure new habits are formed and that former ways of working are discontinued. Experts at KaizApp can assist with account creation, ‘super user development’ and initial training.  Users can be trained to use KaizApp quickly.  8-12 hours is sufficient for initial training and to lead a team of new users step by step through their first digital experience of performance improvement.  Some users will be up and running in 1hr and feel they do not need further support, but the majority will need several hours of support to become comfortable and to ensure they are not held back by missing application knowledge.

 

Security Statement

Browsers & Screen sizes

KaizApp® is currently available on 2 browsers: Google Chrome, Microsoft Edge.

Suitable screen sizes include: Mobiles, tablets, desktop computers.

 

Cloud infrastructure

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers.  Our service is built on Amazon Web Services (AWS). They provide strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices at:
https://aws.amazon.com/security/

 

Business continuity and disaster recovery

We back up all our critical assets in near real time and store backups for at least 7 consecutive days, while confirming restoration effectiveness on a regular basis. All our backups are encrypted and stored within AWS.

 

Secure development

We develop code which minimises the OWASP Top 10 most critical web application information security risks. We follow best practice to ensure the highest level of security in our software and we review our code for security vulnerabilities.  We regularly update our dependencies to ensure that none of them have known vulnerabilities.

 

Penetration Testing

We commission external penetration testing of our applications on an annual basis and implement any findings based on assessment of risk without delay.  We use a penetration test partner whose specialised field is banking and financial application security.

 

Application security protection

We use a runtime protection system that identifies and blocks the OWASP Top 10 (web application information security risks) and business logic attacks in real-time. We use security headers to protect our users from attacks and security automation capabilities that automatically detect and respond to threats targeting our apps.

 

Application security monitoring

Members of our team are experts in security and incident response, and are active 24/7 monitoring KaizApp®. We use security monitoring solutions with real time alerts to get visibility into our application security, identify attacks and respond quickly to any breach.  Any security anomalies triggered are reported with technical context to help our engineers take swift action and also to support continuous improvement of our code.  Our team can assess the impact of attacks and monitor suspicious activity.  We use technologies to monitor exceptions and logs, as well as to detect anomalies in our applications. We collect and store logs to provide an audit trail of our applications activity.  We use monitoring such as open tracing in our microservices.

 

Account takeover and User protection

We protect our users against data breaches by monitoring and blocking brute force attacks.

 

2 Factor Authentication

We provide a 2-factor authentication to protect against unauthorised access.  With 2FA active, knowing a user’s email address and password alone will not be sufficient to gain access.  KaizApp 2FA uses free and secure authenticator apps (e.g. https://authy.com).

 

Password Protection Strength

Minimum 12 character passwords are mandatory.

 

Domain-based access control

KaizApp® is a business application for enterprises.  Users can only be invited to access a  KaizApp® account using their business email address. KaizApp® does not support access using public email addresses, which are blocked.  Each email domain must be specifically registered within your KaizApp® account (e.g. domain.com, domain.co.uk, domain.de, domain.at etc…), prior to being able to add employees using those domains. This brings certainly that only employees of domains registered with a KaizApp® account can be added as users.

 

User access levels

KaizApp® supports a range of levels of user, each having permission to access different information.

 

ISO/IEC 27001:2013 Information Security Management System

We operate an Information Security Management System as part of the way we work.  We are ISO/IEC 27001:2013 certified. This standard provides a framework for establishing, and maintaining an information security management system (ISMS) to secure sensitive information through a risk management process that combines IT systems, people, processes and physical security. KaizApp AG is committed to the continuous improvement of its information security systems. We achieve this by building the management of security into our daily, weekly and monthly routines.

 

GDPR

We are certified compliant to the General Data Protection Regulation (GDPR) for all our accounts and users, no matter their location. The purpose of GDPR is to protect the private information of users and provide users with control over their data.  KaizApp AG is committed to the continuous improvement of all aspects of data protection.

 

Data retention and removal

Account information

We retain your usage data for a period of upto 90 days after account cancellation.

Personal information

Every user can request the removal of personal data by contacting their KaizApp® account owner (their data controller).  KaizApp provides the functionality for account owners to delete users and all data that may identify them but not by default delete those users’ contributions.

 

Data Transfer

Other as than outlined above, KaizApp AG does not use any 3rd party providers to process any customer account nor user data (other than Stripe for monthly payment plans).  Any and all data processing is carried out internally by KaizApp AG.

 

Payment information – Monthly accounts paid by Credit card

All payment instrument processing for monthly plan payments is securely outsourced to Stripe which is certified as a PCI Level 1 Service Provider.  KaizApp AG does not collect any payment information (Stripe does this on our behalf) and we are therefore not subject to PCI obligations.

 

Employee access

All our employees sign a Non-Disclosure and Confidentiality Agreement when joining the company to protect our customers’ sensitive information. Our strict internal procedure prevents any employee or administrator from gaining access to user data other than as permitted and controlled by the procedure. Under the procedure the number of employees with access is absolutely minimised.  Permitted reasons for access include where specific approval is granted for customer support purposes.

 

KaizApp® – AWS Security Description

KaizApp® runs on AWS using an architecture design that follows AWS Well Architected principles.  Administration access to the environment is tightly controlled with no direct SSH access to the production environment. Deployments are handled using CICD pipelines from KaizApp®’s version control repository.

The networking tier consists of three separate subnets – public, private and data – the recommended configuration in line with defence at depth methodologies. The public subnet is the outer layer exposed to the internet and contains the environmental proxy services including application load balancer and Nat Gateways.

The private tier contains the EC2 instances which provide access to the application. This layer is configured to communicate with the proxy services only and not the outside world. EC2 instances are ephemeral in nature and are configured to rebuild regularly on an automatic schedule, limiting the effective lifespan of vulnerability.  Furthermore there are no public IP addresses assigned to the EC2 instances visible on the internet.  The data tier provides a further layer of segregation and is where the database services for KaizApp® are located. These are only configured to communicate with the application tier and do not have internet access.

Flow logging is enabled to log network traffic.  To protect data in transit AWS Certificate Manager is deployed to manage SSL/TLS certificates. Such certificates are considered safer than traditional SSL certificates as they are cycled on a 3 monthly rolling basis.  The application is configured by KaizApp AG to utilise AWS Parameter Store, a secure alternative to embedding hardcoded credentials within the application making it harder for any potential attackers to gain access to the database via the application. Patching of the environment is handled on a weekly basis by AWS Systems Manager. Furthermore IDS (Intrusion detection) is enabled via AWS Guard Duty at the account level.

All user data is encrypted both in transit and at rest.  AWS Shield is on.  DDoS is applied amongst other other related protections.

Overview (https://www.youtube.com/watch?v=q6WlzHLxNKI)

 

Availability & AWS management

KaizApp® performance is monitored 24 hours per day and 7 days per week with proactive issue detection by professional AWS services and maintenance specialists.

KaizApp® is served from the cloud via AWS (Amazon Web Services) with data stored in Dublin. Multi-factor encryption is used to access AWS and other software services.  KaizApp® service availability exceeds 99.99%.

 

Your Responsibilities

Keeping your data secure necessitates that you maintain the security of your account by using sufficiently complicated passwords and storing them safely.  You should also ensure that you have sufficient security of your own systems.

 

Breach Notification

No service can guarantee absolute security. If KaizApp AG learns of a security breach, we will notify you and affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under the GDPR regulations. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.

 

Undisclosed Security

KaizApp operates many other security measures and practices which shall remain undisclosed.

ISO27001

ISO/IEC 27001:2013

KaizApp is ISO/IEC 27001:2013 certified.  We operate an Information Security Management System as part of the way we work. This standard provides a framework for establishing and maintaining an information security management system (ISMS) to secure sensitive information through a risk management process that combines IT systems, people, processes and physical security. KaizApp AG is committed to the continuous improvement of its information security systems. We achieve this by building the management of security into our daily, weekly and monthly routines.

 

ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) in 2005 and then revised in 2013.  It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organisations make the information assets they hold more secure.  A European update of the standard was published in 2017.  Organisations that meet the standard’s requirements can choose to be certified by an accredited certification body following successful completion of an audit.

 

How the standard works

ISO/IEC 27001 requires that management:

– Systematically examine the organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts;

– Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and

– Adopt an overarching management process to ensure that the information security controls continue to meet the organisation’s information security needs on an ongoing basis.

 

Note that ISO/IEC 27001 is designed to cover much more than just IT.  What controls will be tested as part of certification to ISO/IEC 27001 is dependent on the certification auditor. This can include any controls that the organisation has deemed to be within the scope of the ISMS and this testing can be to any depth or extent as assessed by the auditor as needed to test that the control has been implemented and is operating effectively.

 

Certification

An ISMS may be certified compliant with ISO/IEC 27001 by a number of Accredited Registrars worldwide. Certification against any of the recognised national variants of ISO/IEC 27001 (e.g. JIS Q 27001, the Japanese version) by an accredited certification body is functionally equivalent to certification against ISO/IEC 27001 itself. In some countries, the bodies that verify conformity of management systems to specified standards are called “certification bodies”, while in others they are commonly referred to as “registration bodies”, “assessment and registration bodies”, “certification/ registration bodies”, and sometimes “registrars”.

 

The ISO/IEC 27001 certification, like other ISO management system certifications, usually involves a three-stage external audit process defined by the ISO/IEC 17021 and ISO/IEC 27006 standards.  Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended.

 

Structure of the standard

The official title of the standard is “Information technology — Security techniques — Information security management systems — Requirements”

ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover:

 

1. Scope of the standard

2. How the document is referenced

3. Reuse of the terms and definitions in ISO/IEC 27000

4. Organisational context and stakeholders

5. Information security leadership and high-level support for policy

6. Planning an information security management system; risk assessment; risk treatment

7. Supporting an information security management system

8. Making an information security management system operational

9. Reviewing the system’s performance

10. Corrective action

Annex A: List of controls and their objectives

 

Controls

Clause 6.1.3 describes how an organisation can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls.

 

There are 114 controls in 14 groups and 35 control categories:

A.5: Information security policies (2 controls)

A.6: Organisation of information security (7 controls)

A.7: Human resource security – 6 controls that are applied before, during, or after employment

A.8: Asset management (10 controls)

A.9: Access control (14 controls)

A.10: Cryptography (2 controls)

A.11: Physical and environmental security (15 controls)

A.12: Operations security (14 controls)

A.13: Communications security (7 controls)

A.14: System acquisition, development and maintenance (13 controls)

A.15: Supplier relationships (5 controls)

A.16: Information security incident management (7 controls)

A.17: Information security aspects of business continuity management (4 controls)

A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)

 

The controls reflect changes to technology affecting many organisations—for instance, cloud computing—but as stated above it is possible to use and be certified to ISO/IEC 27001:2013 and not use any of these controls.

GDPR

GDPR – KaizApp AG is certified compliant

 

Continuous Improvement

We are committed to the continuous improvement of all our processes and particularly GDPR and Security.  As such we operate an open, non-hierarchical culture where employees are encouraged to identify improvements and collaborate to deliver them.

 

Certified Compliance

KaizApp is fully GDPR certified and processes data lawfully in accordance with the data protection directive.  We do not adopt a policy of ‘local standards’ where companies from different geographies are treated differently. KaizApp applies the GDPR standard to all accounts of all companies from all jurisdictions.  KaizApp is also ISO/IEC 27001:2013 certified.  Prior to earning GDPR certification KaizApp updated its Privacy Policy, Terms and Conditions of Business and Cookie Policies as published on our website to show our activities are legal, secure and transparent.

 

Technical Security Measures

Please read “For CIOs”.

 

Data Breach Notification Policy

Data breaches (should any occur) will be reported to you and to the relevant authorities within the required time frame.

 

Consent to Services

Use of our services requires each employee to take positive action to ‘opt-in’. Having ‘opted in’ to our services, any email notifications which are part of our service including updates on actions, progress and communications from colleagues can be stopped at any time by opting out of such notifications in the user profile.  Users can turn these services back on at any time. Users are in full control at all times.  You can revoke access to KaizApp services for any employees leaving your company with a single click.

 

KaizApp as the Data Processor

The employees you add to KaizApp as users are your data subjects, and you are considered the data controller for their personal data.  Using KaizApp to manage your performance improvement means that you have engaged KaizApp as a data processor to carry out certain processing activities on your behalf.  According to Article 28 of the GDPR, the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of the same Article).

 

KaizApp as the Data Controller

Additionally, KaizApp acts as the data controller for the data we collect about you (limited to the identity of your company and the nominated ‘account owner”).  First and foremost, we process data that is necessary for us to perform our contract with you (GDPR Article 6(1)(b)).  Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c)) — this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR. Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).

 

What are KaizApp’s legitimate interests?

  • Improving the app and our services to help you reach new levels of productivity.
  • Making sure that your data and KaizApp’s systems are safe and secure.
  • Subject to your approval, providing customer support to your employees.
  • Responsible marketing of our product and its features.
  • Responding to data subject requests
  • Meeting any regulatory requirements placed on us (e.g. accounting requirements)

 

Transfers

User data is retained in AWS and is not transferred to any other organisation for any external processing.  All processing is retained within KaizApp AG and not outsourced, with one notable exception which applies to monthly payment processing for smaller accounts paid by credit card.  In this case information about the company and the name of the account owner are transferred to Stripe purely for the purpose of payment processing (Stripe are legally compliant and certified to process payments.).

 

Data Subject Requests

You as the employer are the data controller of your subjects.  Any requests received by KaizApp from data subjects (your current and former employees) will be forwarded to you for your direct response to them.  KaizApp will not respond to your data subjects but will forward any requests received from them to you.  You have the controls and facilities within KaizApp to inform current and former employees of any personal data you hold about them and where necessary to delete users and all their data without KaizApp involvement.

 

KaizApp’s data subjects are the companies who operate KaizApp accounts.  We will be delighted to respond to data requests from current and former account holders.  However, please note that on deletion or expiry of your account, or after non-payment (i.e. after all types of termination event) all account data will be permanently deleted within 90 days of termination unless required not to do so by law.

 

Training

All of the above is supported by training.  Discussions and considerations relating to GDPR compliance are integrated into our day to day activities.

 

Data Protection Officer

Grant Thomas

Contact me using our contact form on our website at KaizApp.com

Try KaizApp® free for 28 days
Immediate access. No credit card required.

Already have an account? Log in