Security at Akanban

1. Security Certifications & Compliance

Akanban maintains multiple industry-standard certifications and compliance frameworks to ensure we meet the highest security requirements:

SOC 2 Type II

We undergo annual SOC 2 Type II audits conducted by independent third-party auditors. Our SOC 2 reports are available to enterprise customers under NDA upon request.

ISO 27001

Our Information Security Management System (ISMS) is certified to ISO 27001:2013 standards, demonstrating our systematic approach to managing sensitive information.

GDPR & Privacy Shield

We are fully compliant with the General Data Protection Regulation (GDPR) and maintain appropriate safeguards for international data transfers. See our GDPR Compliance page for details.

2. Data Encryption

2.1 Encryption in Transit

All data transmitted between your devices and our servers is encrypted using industry-standard protocols:

• TLS 1.3: All connections use Transport Layer Security (TLS) 1.3, the latest and most secure version
• Perfect Forward Secrecy: We implement PFS to ensure past communications remain secure even if encryption keys are compromised
• Certificate Pinning: Our mobile applications use certificate pinning to prevent man-in-the-middle attacks
• HSTS: HTTP Strict Transport Security ensures browsers always use encrypted connections

2.2 Encryption at Rest

Your data is encrypted when stored on our servers:

• AES-256 Encryption: All data at rest is encrypted using AES-256, the same encryption standard used by governments and financial institutions
• Database Encryption: Our databases use transparent data encryption (TDE) to protect data at the file level
• File Storage Encryption: All uploaded files are encrypted using AES-256 before storage
• Backup Encryption: All backups are encrypted with separate encryption keys

2.3 Key Management

• Encryption keys are managed using AWS Key Management Service (KMS) with automatic key rotation
• Keys are stored separately from encrypted data
• Access to encryption keys is strictly controlled and audited
• We support customer-managed encryption keys (CMEK) for enterprise customers

3. Infrastructure Security

3.1 Cloud Provider Security

We partner with industry-leading cloud providers that maintain their own robust security certifications:

• Amazon Web Services (AWS): Primary infrastructure provider with SOC 1/2/3, ISO 27001, and FedRAMP certifications
• Geographic Redundancy: Data is replicated across multiple availability zones and regions
• Virtual Private Cloud (VPC): Isolated network environments with controlled access
• AWS Shield: DDoS protection for all services

3.2 Network Security

• Web Application Firewall (WAF) to protect against common web vulnerabilities
• Intrusion Detection and Prevention Systems (IDS/IPS)
• Rate limiting and API throttling to prevent abuse
• IP allowlisting available for enterprise customers
• Network segmentation to isolate services and limit lateral movement

4. Application Security

4.1 Secure Development Lifecycle

Security is integrated throughout our development process:

• Security by Design: Security considerations from the initial design phase
• Code Reviews: Peer review of all code changes with security focus
• Static Analysis: Automated scanning for security vulnerabilities in code
• Dynamic Testing: Runtime security testing in staging environments
• Dependency Scanning: Regular scanning of third-party libraries for known vulnerabilities
• Security Training: Ongoing security awareness training for all developers

4.2 Vulnerability Management

• Regular penetration testing by independent security firms
• Automated vulnerability scanning of all infrastructure
• Bug bounty program to engage security researchers
• 90-day disclosure policy for security vulnerabilities
• Emergency patching process for critical vulnerabilities

4.3 Security Testing

We conduct comprehensive security testing:

• Annual Penetration Tests: Conducted by certified ethical hackers
• Quarterly Vulnerability Assessments: Automated and manual testing
• OWASP Top 10: Testing against all OWASP Top 10 vulnerabilities
• API Security Testing: Dedicated testing of API endpoints
• Mobile App Security: Testing of iOS and Android applications

5. Access Controls & Authentication

5.1 User Authentication

• Multi-Factor Authentication (MFA): Required for all accounts, supporting TOTP, SMS, and hardware tokens
• Single Sign-On (SSO): SAML 2.0 support for enterprise customers (Google, Microsoft, Okta, OneLogin)
• Password Requirements: Strong password policies with minimum length, complexity, and rotation requirements
• Password Hashing: All passwords hashed using bcrypt with per-user salts
• Brute Force Protection: Account lockout after failed login attempts
• Session Management: Automatic session timeout and secure session tokens

5.2 Role-Based Access Control (RBAC)

• Granular permissions system with predefined and custom roles
• Principle of least privilege - users receive minimum necessary permissions
• Project-level and organization-level access controls
• Audit logs for all permission changes
• Guest access with limited permissions and expiration dates

5.3 Administrative Access

• Strict access controls for Akanban staff accessing production systems
• Just-in-time access provisioning for support operations
• All administrative actions logged and monitored
• Separate credentials required for production access
• Annual background checks for employees with production access

6. Data Protection & Privacy

6.1 Data Residency

• Choose where your data is stored (US, EU, UK, Australia, Canada)
• Data remains in your selected region and is not transferred without consent
• Regional data centers comply with local data protection regulations
• Enterprise customers can request dedicated infrastructure

6.2 Data Backup & Recovery

• Automated Backups: Daily automated backups with 30-day retention
• Geo-Redundant Storage: Backups replicated across multiple geographic regions
• Point-in-Time Recovery: Ability to restore data to any point within retention period
• Disaster Recovery Plan: Tested annually with RTO of 4 hours and RPO of 1 hour
• Customer-Initiated Backups: Export your data at any time

6.3 Data Deletion

• Soft deletion with 90-day recovery period
• Permanent deletion after retention period with secure erasure
• Compliance with right to erasure under GDPR
• Secure disposal of physical media containing customer data

7. Monitoring & Incident Response

7.1 Security Monitoring

• 24/7 Security Monitoring: Round-the-clock monitoring of infrastructure and applications
• SIEM Integration: Security Information and Event Management for threat detection
• Anomaly Detection: Machine learning-based detection of unusual patterns
• Audit Logging: Comprehensive logging of all system activities
• Alert Management: Automated alerting for security events

7.2 Incident Response

We maintain a comprehensive incident response plan:

• Dedicated Security Team: On-call security engineers 24/7/365
• Incident Classification: Clear severity levels and response procedures
• Communication Protocol: Timely notification to affected customers
• Forensic Analysis: Post-incident investigation and root cause analysis
• Continuous Improvement: Lessons learned incorporated into security practices

7.3 Breach Notification

In the unlikely event of a security breach:

• Affected customers notified within 72 hours of discovery
• Detailed information about the incident and impact
• Remediation steps taken and recommendations for customers
• Compliance with breach notification requirements (GDPR, CCPA, etc.)
• Regular updates throughout incident resolution

8. Employee Security

8.1 Background Checks

• Criminal background checks for all employees
• Enhanced screening for employees with production data access
• Reference verification and employment history checks
• Periodic re-screening of existing employees

8.2 Security Training

• Mandatory security awareness training during onboarding
• Quarterly security training updates for all staff
• Specialized training for developers and operations teams
• Phishing simulation exercises
• Security champions program within engineering teams

8.3 Confidentiality Agreements

• All employees sign confidentiality and data protection agreements
• Clear policies on acceptable use and data handling
• Ongoing reinforcement of security policies
• Consequences for policy violations

8.4 Endpoint Security

• Full-disk encryption on all employee devices
• Endpoint detection and response (EDR) software
• Mandatory screen locks and automatic timeouts
• Mobile device management (MDM) for company-issued devices
• Remote wipe capabilities for lost or stolen devices

9. Third-Party Security

9.1 Vendor Management

• Security assessment of all third-party vendors
• Data processing agreements with security requirements
• Regular vendor security reviews and audits
• Vendor risk classification and monitoring
• Contractual security and compliance obligations

9.2 Sub-processors

We carefully vet all sub-processors that handle customer data. A complete list of sub-processors is available upon request and includes:

• Amazon Web Services (hosting infrastructure)
• Cloudflare (CDN and DDoS protection)
• SendGrid (email delivery)
• Stripe (payment processing)

10. Business Continuity

10.1 High Availability

• 99.9% uptime SLA for paid plans
• Multi-region architecture with automatic failover
• Load balancing across multiple availability zones
• Auto-scaling to handle traffic spikes
• Real-time status monitoring available at status.akanban.com

10.2 Disaster Recovery

• Comprehensive disaster recovery plan tested annually
• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour
• Geo-redundant data replication
• Emergency response procedures and communication plans

11. Responsible Disclosure

11.1 Security Bug Bounty Program

We welcome security researchers to help us maintain the security of our platform. Our bug bounty program offers rewards for responsibly disclosed security vulnerabilities.

• Scope: All Akanban applications, websites, and APIs
• Rewards: Up to $10,000 for critical vulnerabilities
• Safe Harbor: Legal protection for good-faith security research
• Recognition: Security researchers credited on our security hall of fame

11.2 Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

• Email: security@akanban.com (PGP key available)
• Response Time: Initial response within 24 hours
• Coordinated Disclosure: We work with researchers on disclosure timeline
• No Public Disclosure: Please do not disclose publicly before coordinating with us

12. Customer Security Controls

12.1 Security Features for Customers

• IP Allowlisting: Restrict access to specific IP addresses (Enterprise)
• Session Management: Control session timeouts and concurrent sessions
• Audit Logs: Comprehensive logging of all user activities
• Data Export: Export all your data at any time
• API Keys: Secure API authentication with scoped permissions
• Webhooks: Signed webhooks for secure integrations

12.2 Security Best Practices for Users

We recommend the following security practices for Akanban users:

• Enable multi-factor authentication on all accounts
• Use strong, unique passwords with a password manager
• Review and manage active sessions regularly
• Be cautious of phishing attempts impersonating Akanban
• Keep your software and devices up to date
• Report suspicious activity to our security team
• Review audit logs periodically for unusual activity

13. Security Documentation

Additional security documentation available to customers:

• SOC 2 Type II Report: Available under NDA for Enterprise customers
• Security Whitepaper: Detailed technical security overview
• Penetration Test Results: Executive summaries available to Enterprise customers
• Data Processing Agreement (DPA): Standard DPA for GDPR compliance
• Business Associate Agreement (BAA): For HIPAA-covered entities

Contact our enterprise team at enterprise@akanban.com to request documentation.