Shared Responsibility Model

The KanbanBOX team is strongly focused on providing both the security and the reliability of the applications and the whole underlying digital infrastructure.

On one hand, we ensure our customers that the application and the digital infrastructure are compliant with the relevant standards, such as ISO27001, and with applicable laws, such as GDPR.

On the other hand, you, as our customer, are supposed to manage the user accounts and the data within your accounts and license, making sure that your organization uses our applications in a proper and compliant way.

As a consequence, your data security has to be a joint responsibility and an effort of two parties working as a team.

In this document, we explain our shared responsibility model around information security.

Responsibility model

The following table summarizes who, between you and KanbanBOX, is responsible for each responsibility area:

Responsibility Area	KanbanBOX	Customer
Devices (PCs, Mobile, Printers)		✓
Data and Information	✓	✓
User accounts	✓	✓
Applications	✓
Host Infrastructure	✓

Customer's responsibilities

Client device security

KanbanBOX is responsible for your device security and especially keeping the device OS, browser and mobile applications updated to the latest version.

Shared responsibilities

Data and Information

KanbanBOX is responsible for:

• encrypting your data at rest and in transit between our systems;
• performing regular system-level data backups;
• notifying you in the event of a data breach affecting your data.

You are responsible for:

• the data and information you upload in the KanbanBOX application, and with which suppliers and customers you share them;
• ensuring that the data you upload is compliant;
• the security of data transmission when configuring and integration with an external system outside our infrastructure.

User accounts

KanbanBOX is responsible for:

• developing security features inside KanbanBOX that allow you to manage your users more effectively;
• providing strong authentication options, such as Multi-Factor Authentication, Single-Sign-On, Identity Management delegation, IP address restrictions.

You are responsible for:

• creating, updating and deleting user accounts;
• providing each user account with the most suitable access role;
• implementing strong authentication options;
• conducting regular access reviews;
• monitoring your organization's user accounts for malicious access or usage.

KanbanBOX's responsibilities

Applications

KanbanBOX is responsible for securing the application itself, including implementing security patches and preventing common vulnerabilities. We regularly conduct penetration testing and vulnerability assessment activities with independent third-party cyber-security advisors.

Host Infrastructure

KanbanBOX is responsible for securing the underlying infrastructure, including data centers, network, and hardware. We regularly conduct network vulnerability assessment activities with independent third-party cyber-security advisors.