ISO/IEC 27001 mandates specific requirements before an organization can be certified compliant. They require that KLDiscovery:
- Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities and impacts.
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment.
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs.
- Conduct annual audits to ensure security compliance.
SOC 2® Certified
KLDiscovery has been independently audited for SOC 2 compliance to provide detailed information and assurances about the controls pertinent to the security of the systems we use to process clients’ data and the confidentiality and privacy of the information processed by these systems.
HIPAA Security Rule Compliance
KLDiscovery has completed an independent audit resulting in a certification of compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which also covers the Health Information Technology for Economic and Clinical Health Act (HITECH).
HIPAA sets a national standard for the protection of consumers’ Protected Health Information (PHI) and electronic Protected Health Information (ePHI) by mandating risk management best practices and physical, administrative, and technical safeguards. The goal of the HIPAA Security Rule is to create security, confidentiality, integrity, and availability of ePHI, protecting against threats, unpermitted disclosures, and ensuring workforce compliance.
Accreditation Under the EU-US and Swiss-US Privacy Shield Frameworks
KLDiscovery is accredited with the U.S. Department of Commerce under the EU–U.S. Privacy Shield Framework and the Swiss–U.S. Privacy Shield Framework. Although we will not base personal data transfers from the EU or from Switzerland to the USA on the basis of the Privacy Shield Frameworks, we will still adhere to the obligations under the EU-U.S. and Swiss-US Privacy Shield Frameworks.
Following the decision of the Court of Justice of the European Union on July 16, 2020, declaring personal data transfers based on EU-U.S. Privacy Shield invalid, the U.S. Department of Commerce has stated that it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.
To learn more about the Privacy Shield program, its data protection requirements and to view our certification, please visit https://www.privacyshield.gov/.
State-of-the-Art Information Security
Data in our possession is secured by some of the most advanced data security and disaster recovery technology available, including:
- Multi-zoned, segmented networks to ensure isolation of critical systems and data. All internet traffic transmitted over a firewall-to-firewall VPN.
- Role-based access controls to all systems and networks to ensure confidentiality. Access is regularly audited to ensure proper privilege levels for each employee.
- Redundancy across all critical systems to ensure availability. Backups performed every 15 minutes between primary and backup data centers.
- Annual third party penetration tests and monthly vulnerability scans.
Secure Data Centers
KLDiscovery’s data centers feature multiple layers of security and safety devices to protect the integrity of critical data, including 24x7 monitoring, redundant power and cooling systems, secured access requiring unique PIN or biometric reading, and secure storage for media and evidence.
Global data center locations:
- Austin, TX
- Eden Prairie, MN
- Brooklyn Park, MN
- Toronto, Canada
- Slough, England
- Dublin, Ireland
- Frankfurt, Germany
- Paris, France
- Tokyo, Japan
KLDiscovery adheres to a defense-in-depth strategy where preventative, detective, and reactive controls are deployed to monitor the systems environment. To that end, KLDiscovery maintains a wide range of security controls and tools across the technology stack, including:
- Penetration testing executed by a third party to provide an unbiased evaluation of the security posture of the application and infrastructure.
- Intrusion Detection (IDS) Technology to monitor and alert on malicious activity discovered in network traffic.
- Security Information and Event Monitoring (SIEM), which collects security events and logs from devices across the enterprise.
- Office 365 for monitoring and managing security across KLDiscovery accounts, data, devices, apps, and infrastructure.
- Anti-Virus/Malware Technology is deployed to all enterprise workstations and infrastructure. Daily virus scans, monthly security patch updates and expedited critical patches keep systems current.
- Predictive server management and monitoring enable early responses to potential hardware and application issues.