Before you trust a cloud provider like Kahootz with your company or project data you want to be confident that it is going to be well looked after on many levels.
Security in transit
All communication between the end user's browser and the Kahootz servers goes over secure HTTPS / SSL connections.
This means it is all encrypted, so anyone capturing the transmission in-between can't view the data without being able to decrypt it.
SSL also provides trust confirming our identity as a company, so you know you're going to the right site each time.
Kahootz uses full SHA256 SSL certificates, with 256-bit encryption ciphers where possible falling back to 128 bit, the same as most banks and financial institutions.
That's used on every page, and all uploads and downloads - not just the login page.
Security on passwords
Each of the users in your site will have their own password. These are created by the users, not generated by Kahootz.
They're stored one-way encrypted, so they can't be read, only checked, and never emailed to people in plain text.
(If you've forgotten your password, Kahootz can email you a reset link).
You can also opt for additional password security rules for your site based on length, required characters, number of changes, lockout on errors and so on.
Separation of customers
Although our systems run a large number of sites for a wide variety of clients, Kahootz offers client site separation as standard so your users are truly yours, and not accessing information from other Kahootz clients.
Nobody else's workspaces will appear on your site just because some of your users are associated with other Kahootz clients too.
We also offer unique client addresses for every site as standard, meaning you can choose to allow access to your site, and your site alone, via your firewall.
Security at rest
Kahootz uses a variety of security lockdowns, perimeter tests and controls to stop attacks from affecting our servers. We also ensure that all parts of the software are fully security tested in design and deployment. As a government supplier working to high-security levels, we get regularly checked on this by CREST approved penetration tests that not only attempt many automated methods of cracking into the system, but also involve some dedicated cracking attempts by qualified individuals with up to date knowledge, skill, and competence of the latest vulnerabilities and techniques used by real attackers find any flaws we might have. We've been consistently marked as clean!
In any evaluation of security, people should be considered as the weakest point; they make mistakes, and they can be compromised.
Every single staff member at Kahootz has been fully evaluated and vetted to BS7858 proving their identity and including full criminal records check.
We're a fully ISO27001-certified company, so all of our processes are checked and monitored by that standard. That's our own accreditation for our own development, release and internal processes, not just the accreditation of our data centre (although they are of course accredited too). Both of these standards apply to all our staff - those who can access your critical data, and those who can't - they even apply to our marketing team!
Only a limited number of very senior Kahootz staff have access to our live servers and your data.
All their access is logged, and will only happen if need arises - usually based on a support ticket.
Part of being a safe place for your data is not just the security but also the reliability of the service.
We use an easily expandable cluster of machines to provide the service, with no single points of failure.
We host our equipment with IOMART, a leading supplier of UK business services. We're experts at collaboration software and running reliable web services; we let them concentrate on the skills of running a higher level infrastructure with multiple connectivity to the Internet and managing the hardware level (both physical and virtual).
Kahootz has long-term experience handling sensitive data for a variety of organisations, including the rigorous standards of the UK government's own tests and checks.
That's why we were one of the earliest organisations to pass the new Government wide accreditations (PGA), shortly after the likes of Microsoft, despite our distinctly smaller size.