- Kalo encrypts all data in transit using TLS
- Kalo encrypts customer data at rest using AES-256
- Kalo hashes passwords using SHA-256 and dynamic salts
- Kalo is ISO 27001 certified
- Kalo takes daily snapshots of data
- Kalo relies on Amazon Web Services to ensure that our infrastructure is scalable and kept up to date with security patches
Where is the source code under version control and where are the repositories hosted?
We use GitHub’s private repositories.
What datacenter is the application is hosted in?
We use Amazon’s EC2 servers over 3 availability zones in multiple physical locations in the US and UK.
What languages and frameworks are used?
What 3rd Party components / Libraries does the application use?
React, RabbitMQ, Docker
What open source components does the application use?
Elastic Search, Nameko
Is data encrypted at rest?
We are using AES encryption for our data at rest. Amazon RDS encrypted instances use the industry standard AES-256 encryption algorithm to encrypt our data on the server that hosts our Amazon RDS instance. All banking details are secured with our third-party vendors, who are PCI-DSS certified. We hash passwords as well using SHA-256 + dynamic salts.
Please describe what is being monitored, who is doing the monitoring and what, if any, are the unique (not just CPU, disk) operational thresholds this application has?
Anonymized monitoring dashboards are displayed around the office for engineers to interpret traffic shape and volume in real time. These dashboards illustrate information about the Production systems as well as several development tools used in the product development life cycle. We use ELK and Grafana to monitor system health, including monitoring infrastructure access which would alert us of irregular activity.
Please enumerate the types of events that are logged.
Each inbound request is logged and all web traffic across the Production and Staging infrastructure. More structured audit logs are kept for standard user actions within the Kalo Platform. Within the platform itself, internal traffic is logged and monitored across ElasticSearch, RabbitMQ, which can be used for further in depth analysis of standard actions. AWS logs all server logins and all commands executed by each user, including administrators. Additionally, we log any operation on invoices from our users.
Are the application logging events relating to the authentication functionality, access control attempts, etc.?
Yes, we log attempts but do not log passwords, etc.
How does your application track active sessions?
We use JSON Web Tokens to track active sessions. The JWT provided will determine whether the request will be allowed or not, based on how old it is and what permissions it was created with.
How are session tokens generated? How are they validated?
JWT tokens are generated and validated with PYJWT, a python library for JSON Web Tokens. They are validated based on their contents, which include a session token which needs to match a persisted session token and the timestamp of when they were generated
When do sessions timeout?
A JWT expires after 5 minutes, and our application continuously refreshes that in the background.
What types of access control mechanisms are employed?
Each is assigned a role within our app. We have granular resource permissions, and each JWT token we issue is given specific permissions based on our user's configuration. This can potentially affect seeing a different part of the UI, or being denied permission when attempting to gain access to a restricted view.
Does the application support user roles for specific privileges?
Do you have a physical security program?
Yes, please see Amazon’s white paper for specifics.