Kudos Trust Assurance Center

Kudos takes your security seriously. This dedication is reflected in everything we do – from our people and processes to our data centers and product security.

Your privacy & security is our priority 

To give you peace of mind regarding our security measures, we’ve compiled an in-depth look at our practices.  As a Kudos client, you can rely on us to protect your data and operational security at every step. In addition, Kudos is committed to protecting the data you share with us. For more information, please see our Privacy Policy.

Organizational Security

We adhere to strict security policies and procedures that cover the security, availability, processing, integrity, and confidentiality of our customers’ data. People are the weakest link in any organization, our policies and processes ensure that security is one of our primary objectives.

Security and Risk Management Team

The security and risk management professionals at Kudos are committed to ensuring the security of our operations and product.

Security Awareness

We understand that security is not only “IT's job”. That is why we pride ourselves on offering the latest training on Security Awareness Foundations, Phishing Foundations, Common Threats and Social Engineering Red Flags company wide. Security is everyone’s responsibility at Kudos.

Internal Audit & Compliance

An assessment of the effectiveness and efficiency of the internal controls, processes and policies is reviewed by the compliance team continuously and identified deficiencies are remediated promptly.

Attestation and Certificate

Kudos is audited regularly by independent bodies to ensure that we adhere to the most stringent security standards and privacy requirements in the business.

SOC 2 Type II badge

SOC 2 Type II

Kudos SOC 2 Type II report provides assurance that our team has designed an effective system of security controls. Get in touch to read our report.

Cloud Security Alliance (CSA) Level I badge

Cloud Security Alliance (CSA) Level I

Kudos has achieved CSA STAR Level I Assurance. The CSA STAR program is the world’s largest and most consequential cloud provider security program.

OneTrust Essentials Attestation Certificate badge

OneTrust Essentials Attestation Certificate

Kudos® is compliant with the Tugboat Logic (now OneTrust) Attestation Essentials Certificate.

GDPR

Kudos is dedicated to keeping your information safe and is compliant with the European legislation of General Data Protection Regulation (GDPR).

Infrastructure Security

Client Environment

Kudos recognition platform is a multi-tenant cloud-based SaaS platform. Every customer is assigned their own tenant of the Kudos employee recognition Platform, and their data is encrypted and logically separated. It is not accessible to other tenants to prevent unauthorized access.

Encryption

Data stored by Kudos is encrypted at rest in Amazon Relational Database Service (RDS) using the industry standard encryption algorithm. All passwords within our database are securely stored, salted and hashed. 

Kudos provides end-end data encryption. Encryption is handled using our cloud provider's key management services. All information traveling between your browser and Kudos is protected from eavesdropping with SSL encryption and TLS 1.2 protocols.

Identity & Access Control

Single Sign-On (SSO)

Kudos uses single sign-on capability (SSO) throughout all our applications, SSO improves enterprise security by reducing the risk of password fatigue. Therefore, users are deterred from using weak passwords having to remember only one strong password. Kudos uses OneLogin as a Single Sign-On Service which allows user access to other applications from one centralized console. OneLogin grants access to other applications based on permissions granted to an individual’s account.

Strong Passwords

Kudos enforces strong password requirements for all non-SSO accounts to ensure all users are using secure login credentials.

Multi-Factor Authentication (MFA)

To complement our SSO capability, Kudos offers an extra layer of protection in case a password is compromised. MFA enhances security by requiring users to identify themselves by more than a username and password.

Administrative Access

We provide privileged access to authorized personnel only. By adhering to the principle of least privilege, Kudos reserves the right to give administrative access to make any configuration changes. Additionally, a privilege access management solution can control credentials accessing the device and commands that can be executed when a session is initiated, providing a complete audit of both commands and sessions.

Security Within the Application

Kudos encrypts every attribute of customer data within the application before it is stored in the database. All passwords within our database are securely stored, salted and hashed. Customer content on filesystem is all encrypted. Backup data are as well encrypted.

Development Practices

Source Code Security Scanning

Kudos carry out third-party penetration tests and web application vulnerability assessments. These assessments are evaluated and conducted on a regular basis by both internal Kudos resources and external third-party vendors.

Reliability, Redundancy & Resilience

Logging & Monitoring

All application and infrastructure components are logged and monitored using Enterprise software. Kudos implements and utilizes our Cloud providers native security monitoring.

Reliability & Disaster Recovery

Our data is secured in the cloud, and we have documented processes for disaster recovery and business continuity. Full back ups are performed hourly and retained for 40 days. All backups made are encrypted and stored offsite.   All servers and internal API processes have multiple redundancies and parallel processes for robust service availability.

Incident Management and Response Plan

Kudos has established policies and procedures to manage security and privacy incidents that threaten the confidentiality, integrity, or availability of information assets, which is reviewed regularly.  In the event of a suspected or confirmed incident/breach, affected customers will be notified within 48 hours.  There have been no security incidents in the last 12 months.

Kudos have a documented security incident response plan. We appropriately respond to any incidents that threaten the confidentiality, integrity, and availability of digital assets, information systems, and the networks that deliver the information. Our response plan covers the preparation, identification, notification, containment, investigation, and eradication of any data breach. All affected clients are notified of a suspected or confirmed data breach immediately.

Vendor Management

Kudos has established procedures for evaluating and vetting vendors.  Kudos has agreements with vendors to ensure they comply with our policies and controls and the security of client data.

Please check back occasionally for updates. If you have any questions, please contacts us at kudossecurity@kudos.com.

Organizational Security

  • Security and Risk Management Team
  • Security Awareness
  • Internal Audit & Compliance
  • Attestation and Certificate
  • GDPR

Infrastructure Security

  • Client Environment
  • Encryption
  • Prevention

Identity & Access Control

  • Single Sign-On (SSO)
  • Strong Passwords
  • Multi-Factor Authentication
  • Administrative Access
  • Security Within the Application

Development Practices

  • Source Code Security Scanning

Reliability, Redundancy & Resilience

  • Logging & Monitoring
  • Reliability & Disaster Recovery
  • Incident Management
  • Threat Response
  • Vendor Management