Kahoot! recognizes Customer information and data as the most critical aspect and important success factor in our business. Having our Customers trust in our handling of their data is crucial to drive Kahoot! forward as the leading learning platform vendor.
To ensure the data is secure we at Kahoot! have implemented a set of safeguards and processes covering all parts of the data journey. In addition, with new features and opportunities in our learning platform continuously being added, we are driven by clear policies, principles and procedures to ensure data stays secure.
Kahoot! have implemented and maintains the following security controls for customer and user data, consistent with globally cloud service provider industry best practices, including:
- Controls, Policies & Procedures. Appropriate technical and administrative controls, and organizational policies and procedures.
- Named person in the role as a dedicated Chief information security officer (CISO) with focus on security in all areas of the Kahoot! business.
- Access Authorization. Access controls for provisioning users, which shall include providing Customers mechanism to view Customer users and their access privileges for licensed users.
- Logging. System and application logging where technically possible. Kahoot! retains logs for a maximum one (1) month, verify such logs periodically for completeness.
- Malicious code and/or software. Malware prevention software (e.g. antivirus) is implemented on infrastructure where applicable. Using Kahoot! does not demand any Customer hardware installment. Users can choose to install App on mobile devices.
- System Security. System and IT security controls at Kahoot! follows industry best practices, including: (i) A high-level diagram, which will be provided to Customers upon request; (ii) Kahoot! use a mix of industry standard cloud and software firewalls to dynamically limit external and internal traffic between our services; (iii) A program for evaluating security patches and implementing patches using a formal change process within defined time limits; (iv) Kahoot! Runs continuous penetration testing by an independent third party, with a detailed written report issued annually by such third party and provided to Customers upon request; (v) Documentation of identified vulnerabilities ranked based on risk severity, and corrective action according to such rank.
- Asset Management. An asset management policy is kept current, including asset classification (e.g., information, software, hardware).
- Kahoot! runs regularly cross company Risk Assessments to ensure potential risks are identified and managed.
- A Password policy and controls are implemented to protect data, including complexity requirements and multi factor authentication where available.
- Kahoot! uses sub-processors to strengthen the scalability. All sub-processors hold the highest level of security and have current certifications for, among others, ISO27001 and SOC2 Type 2. A list of sub-processors is attached in Annex A.
Kahoot! have a strong commitment to our Customers and users data. Compliance with the GDPR is a top priority for Kahoot! and our customers. The GDPR aims to strengthen personal data protection in Europe, and impacts the way we all do business. With Cloud, taking advantage of the global market is important to Kahoot!, delivering a learning platform to all. Kahoot! is diligent with its use of sub-processors, and never makes transfers outside the Europe/EEA without having appropriate safeguards in place. This may, where required, include additional safety measures.
- Kahoot! will handle our Customers and Users data securely, and consistent. To ensure this is a cross company focus, Kahoot! employs a dedicated person that is responsible for data protection.
- Encryption. Kahoot! have implemented encryption on all Customer and user data.
- At Rest: Customer data only resides in the production environment encrypted with industry best practices (currently AES-256 or similar).
- In Transit: All network communication uses TLS v1.2 or higher. Qualys’ SSL Labs scored our SSL implementation as “A+” on their SSL Server test.
- Data availability. Kahoot! runs multiple live data stores for availability
- Backups. Kahoot! runs continuous backup processes to ensure data and information consistency with highest standards. Testing of the backups is done regularly.
- Testing. Kahoot! never uses real Customer data in our development environment.
Running a service demands high focus on structure, best-practices, and proven methods. At the same time implement usage of new technologies when and where appropriate. This demands clear structure and procedures. For this Kahoot! has implemented, among others, following measures:
- A Business Continuity and Disaster Recovery policy and plans. These are tested on a regular basis. The plans include infrastructure and applications used to host Customer Information and provide Services to our Customers.
- To structure the work done Kahoot! uses an ISMS.
- The operation is thoroughly monitored with uptime checks, logs, trends analysis and IDS. Any significant issues are alerted on 24/7.
- Kahoot! operates a geo redundant platform with no fixed maintenance windows; The service is expected to be available continuously.
To ensure Kahoot! deliver on Customer expectation on quality, security, and privacy, Kahoot! have enforced controls on employee level
- All employees are required to secure their equipment following the Information security policy, including antivirus, encryption, and MFA.
- We run background checks and sign confidentiality agreements with all employees according to applicable laws. We also train them in Information Security and Secure Development Practices.
- For Kahoot! inclusion, equality, respect and honesty is important in everything we do, and conduct regular training in our policies, including
- Inclusion and Accessibility Policy
- Anti-bribery & Anti-corruption Policy
- Anti-Slavery & Anti-Child Labor Policy
- Gender Equality & Anti-discrimination Policy
- Whistleblowing policy
- Systems access control. Employee’s level of access is determined by the job position. Access reviews are performed periodically, and access is immediately removed if no longer necessary. Kahoot! enforces the least privilege principle.