rev.0 15-Jul-2024
1. GLOSSARY
Information security event: occurrence indicating a possible information security breach or failure of controls
Kelyon Cloud Infrastructure: the logical infrastructure consisting of computing instances, databases instances, storage, services and applications accessible via the Internet, which enables the Kelyon Internal Services
Kelyon Network: set of protocols and physical and/or cloud-accessible resources that form the Kelyon Cloud Infrastructure
Kelyon Systems: the systems present on the Kelyon cloud infrastructure
2. INTRODUCTION
The entrustment of data in the cloud pursuant to EN ISO/IEC 27017:2021 involves the verification of certain requirements for both the Customer and Kelyon.
Kelyon, in complete transparency for the management of the services offered, then provides a summary of the obligations referred to the Customer and those adopted by Kelyon as a supplier in compliance with EN ISO/IEC 27001:2023, EN ISO/IEC 27017:2021 and EN ISO/IEC 27018:2020.
If the Customer finds any discrepancies with respect to what is reported below and any services offered, he is invited to report it by sending an email to cso@kelyon.com.
3. CLOUD SERVICES PROTOCOL
The data stored in the cloud computing environment may be subject to access and management by Kelyon; to protect the Customer, Kelyon adopts methods and processes certified by third parties in the fields of EN ISO/IEC 27001:2023, EN ISO/IEC 27017:2021 and EN/ISO IEC 27018:2020.
- Kelyon has identified the Data Protection Authorities, the Italian National Cybersecurity Agency and the Postal Police as the relevant authorities for data protection.
If the Customer decides to modify and/or integrate these bodies, it is required to define these aspects in advance, in a specific agreement between the parties.
- Kelyon provides its cloud services on infrastructures located in the European Union and managed by Amazon Web Services (https://aws.amazon.com), unless otherwise explicitly requested by Customer to host cloud services on infrastructures located in other geographical areas and/or belonging to other cloud providers.
Amazon Web Services (AWS) supports 143 security standards and compliance certifications, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171, helping customers meet compliance requirements worldwide. AWS has compliance certifications under ISO/IEC 27001:2022, ISO/IEC 27017:2015 and ISO/IEC 27018:2019.
- Kelyon will notify the Customer with 30 days’ notice of any changes in cloud providers used. Kelyon guarantees that the infrastructures that provide the cloud services will always be located in the European Union, unless otherwise and explicitly requested by the Customer, and that the data processing will comply with the European Data Protection Directive (GDPR – Regulation EU 2016/679).
- Kelyon classifies all the information exchanged with the Customer. Labelling follows the following classification levels:
Category of Information | Description | Examples |
Public or unlabeled | The information provided is not confidential and therefore can be public without it having any negative implications if it is detected. The lack of availability of this information in the event of downtime is an acceptable risk. Integrity is important but not fundamental and vital to the life or business of the Customer. | Leaflets, brochures, press releases, websites, newsletters |
Confidential | Confidential documentation for internal or external use that contains sensitive information that should only be accessed by a small group of authorized persons, as its unauthorized disclosure could cause significant harm to the organization.
This category includes information received from the Customer. |
Customer contracts, offers, product development projects, internal legal documents, confidential financial information |
Strictly Confidential | Documentation that contains extremely sensitive information that, if disclosed, could cause serious harm to the organization, its Customers, or its partners. Access to this information is limited to a very small number of people, with strict protection measures. | Software source codes, know-how used to process Customer information, information on patents in the process of filing, sensitive health data, cryptographic keys or security certificates |
- Kelyon’s periodic asset inventory includes associated information and assets, including those stored in Kelyon’s cloud infrastructure. Inventory logs indicate where assets are kept.
- Kelyon adopts an appropriate allocation of information security roles and responsibilities and confirms that it is in a position to fulfill its data security roles and responsibilities.
To this end, periodic reassessments of risk analysis, vulnerability assessments and penetration tests are conducted. In this regard, Kelyon implements its own policy for the prevention and management of threats, on which, at the Customer’s request, it can provide documentation in this regard.
The Customer who decides to modify and/or supplement Kelyon’s control practices is required to define these aspects in advance, in a specific agreement between the parties.
- All access to the systems, services and applications on the Kelyon Cloud Infrastructure are safe and secure. To ensure high levels of protection and block any malicious access attempts, two-factor authentication (MFA) is enabled on all Kelyon Internal Services as far as possible.
- The management of the cloud service offered to the Customer considers the access profile to the service provided by Kelyon. Kelyon informs the Customer of the standard access methods at the time of service activation.
- Kelyon’s access control policy for its Cloud Infrastructure incorporates compartmentalization for each service.
- Kelyon adopts a network segregation policy to achieve segregation of Customers’ cloud environments.
In details, Kelyon Cloud Infrastructure guarantees:
-
- segregation of groups of information services, users, and information systems, dividing them into separate network domains;
- logical segregation of cloud service customer data, virtualized applications, operating systems, storage, and networks to ensure data integrity and confidentiality.
- The Customer must ensure that the service delivery capacity agreed with Kelyon is met.
Kelyon provides the Customer with the necessary tools to monitor service usage and anticipate capacity needs, ensuring optimal performance of the required cloud services over time.
- The services provided on the Kelyon Cloud Infrastructure implement encryption controls that comply with recognized and approved security standards.
In this regard Kelyon implements practices for controlling and maintaining the effectiveness of cryptographic keys throughout their lifecycle, including generation, installation, updating, revocation and destruction. As a standard practice, Kelyon applies cryptographic controls to all transactions to and from the Customer.
- Kelyon maintains specific written policies and procedures for the secure disposal or reuse of resources. Upon the Customer’s explicit request, Kelyon is available to provide these documents.
- Access credentials for the application services provided by Kelyon Cloud Infrastructure are unique to each user and cannot be shared.
Credentials should not be stored on written media in a manner that could facilitate unauthorized access by third parties.
- For the application services provided by Kelyon Cloud Infrastructure, Kelyon offers a backup service as stipulated in the contract with the Customer.
Unless otherwise agreed with the Customer, the backup policy entails daily backups with a retention period of at least 60 days.
Backup logs are kept for a minimum period of 6 months.
Backups are stored on at least 3 data-centers in a redundant way, providing built-in resilience against widespread disasters.
- Kelyon tests backups twice a month to ensure their integrity and reliability for safe, uncompromised restorations.
- Kelyon implements a set of standard logs that enable the Customer to monitor various events.
The Customer is responsible for determining whether this set of logs meets its needs and aligns with its policies; if not, the Customer must define its event recording requirements with Kelyon.
The logs are stored on a centralized platform that ensures they are immutable and cannot be deleted, even accidentally.
- All activities related to addressing security issues and enhancing the usability of the services provided by Kelyon Cloud Infrastructure are conducted by Kelyon personnel with the appropriate permissions and delegations. Access is logged with timestamps.
- For the services delivered by Kelyon Cloud Infrastructure, system clocks are synchronized with approved time sources.
This synchronization occurs regularly to ensure accurate timestamps for data processing, logging, and auditing activities.
- The Customer must determine the information security requirements and then assess whether the services offered by Kelyon meet those requirements. To this end, the Customer is entitled to request information from Kelyon on the information security features adopted.
- Kelyon conducts development operations in a secure, dedicated environment using non-production test data. These operations are governed by specific written procedures. Kelyon can provide documentation on this process at the explicit request of the Customer.
- The Customer must include Kelyon in its information security policy, in its relations with suppliers. This will help mitigate the risks associated with accessing and managing the data managed in the services offered by Kelyon.
- The Customer must confirm the roles and responsibilities regarding the security of information relating to the services provided by Kelyon and described in the relevant contract.
- Kelyon has a specific written procedure for handling information security incidents.
This policy ensures a consistent and effective approach to addressing such incidents, including communications related to security events.
The policy aims to mitigate the following risks:
-
- Reduce the impact of information security breaches by ensuring that incidents are properly followed.
- help identify areas for improvement to reduce the risk and impact of future incidents, decreasing the attack surface and the chances of Data Breaches.
Information security incidents should be reported as soon as possible by sending an email to cso@kelyon.com. Upon verification of the incident, the responsible staff will evaluate the situation and implement appropriate corrective actions and/or containment measures.
In the event of a data breach, it should be reported to the Kelyon DPO (dpo@kelyon.com), who will activate Kelyon’s specific operating procedure for managing data breaches. This includes promptly notifying the Personal Data Protection Authority and the Customer’s project leads about the breach.
A “Security Incident Report” will be created for Information Security Incidents.
An “Information Security Incident” is an event that has caused or has the potential to cause damage to Kelyon’s assets, reputation and/or customers. Such incidents include but are not limited to:
-
- the loss or theft of data or information (Data Loss);
- the transfer of data or information to those who do not have the right to receive that information (Data Leakege);
- attempts (failed or successful) to gain unauthorized access to the data or information files (DataStore) of a computer system of Kelyon or its Customers;
- fraudulent changes to information or data in a computer system;
- unsoliciteddisruption of a service provided byKelyon Cloud Infrastructure;
- the action of malware or a DDOS attack.
The Customer must provide the following essential information:
-
- if the loss of data puts any person or other data at risk;
- the date and time the security incident occurred.
It is therefore essential that the Customer identifies any weakness related to the security of information that has been observed or suspected in the services provided by Kelyon. Kelyon will respond to information security incidents in accordance with documented procedures. The knowledge gained from the analysis and resolution of information security incidents will be used by Kelyon to reduce the likelihood or impact of future incidents.
- All data in transit managed on the Kelyon Cloud Infrastructure is encrypted using secure encryption protocols such as TLS.
- In the event of severe force, natural disasters, terrorist acts or any other catastrophic events that are reasonably unforeseeable and impact the infrastructure underlying Kelyon Cloud Infrastructure, Kelyon reserves the right to migrate the services provided to the Customer to another ISO 27001, ISO 27017, and ISO 27018 certified provider, provided that the Disaster Recovery service is included in the contract with the Customer.
- The data processed by the Customer as Data Controller on the Kelyon Cloud Infrastructure will always be controlled by the Customer.
- Kelyon, in compliance with EU Regulation 2016/679 (GDPR), guarantees the data controller the possibility of receiving at any time a copy of the data in a structured, commonly used and machine-readable format (“right to access”), as well as knowing the physical location where the data resides.
- Kelyon ensures data and application portability, if the Customer opts to migrate to another cloud provider, thus preventing vendor lock-in.
- Kelyon, in compliance with EU Regulation 2016/679 (GDPR), guarantees the data controller the deletion of his or her data (“right to be forgotten“).
The right to erasure takes precedence over the interest in data retention. In such cases, if a data controller requests the deletion of their data, Kelyon will proceed without undue delay and will not reserve the right to continue processing the data until the originally set deadline, regardless of whether that deadline is imminent or not.
- Kelyon, as personal data cloud processor, commits to including a provision in its contracts with customers that requires notification of any legally binding requests for the disclosure of personal data by law enforcement authorities. Kelyon will provide such notifications in accordance with the agreed-upon procedures and timeframes established in the contract, unless prohibited by the law enforcement authority from disclosing such information. This ensures that customers are informed and can take appropriate action regarding any requests for personal data disclosure.
- Kelyon has a specific policy in respect of the return, transfer and/or disposal of personal data. In the event of an explicit request by the Customer, Kelyon is available to provide this document.
- It is the Customer’s responsibility to request a documented description of the process of terminating the cloud service provided by Kelyon covering the removal of the Customer’s assets followed by the deletion of all copies of such assets from Kelyon’s systems. To this end, Kelyon has a specific written procedure for decommissioning a service, including how to return data (where necessary).
- Kelyon is committed to ensuring that all information, concepts, ideas, procedures, methods, and technical data that its staff become aware of while providing services to the Customer are treated as confidential and subject to secrecy.
Kelyon takes all necessary precautions with its collaborators to protect the confidentiality of such information and documentation. Additionally, Kelyon adheres to personal data processing legislation and respects the rights of individuals and other entities in accordance with the Italian Personal Data Protection Code (Legislative Decree 196/03 and subsequent amendments) and Regulation 2016/679 and its applications.
If the Customer deems it appropriate to request documented evidence of the implementation of specific security controls related to the services provided by Kelyon, and if this does not pose a risk to the information security of Kelyon and/or its Customers, such documents will be classified as ‘Confidential’ and provided to the Customer.
- Kelyon implements hardening as a process to enhance the security of cloud environments used for providing services to customers. Two approaches are followed:
-
- One Time Hardening. it iscarried out only once and after the first setup of the environment;
- Multiple time hardening. it is carried out several times during the life of the environment, depending on major upgrades of the operating system or installation of additional modules/libraries.
- Kelyon ensures that once the Customer’s cloud environment is deallocated, it is fully deleted and all data are completely erased before the resources are redeployed or reassigned. This process guarantees that no residual data remains.
- All communications made by Kelyon take place via HTTPS, SSL and TLS protocol, ensuring that the transmitted data reaches the correct destination.
- Kelyon ensures the limited use of printed materials, which are destroyed by shredding when they are no longer needed.
- Kelyon ensures that copies of security policies and operating procedures are maintained for a period of at least 5 years.
- The Customer should consider that applicable laws and regulations may include those governing both Kelyon’s jurisdiction and its activities.