We take security very seriously here at Kiwi. We know our customers trust us with their important data, and we use industry best practices to keep it secure.
Backups & Data Recovery
Everything stored on Kiwi is backed up daily. We have tested our recovery procedures, and in the event of a data loss, we are able to restore from backup within an hour.
We can provide customers with an export of their Kiwi content in HTML, CSV, or markdown format for additional peace of mind.
Encryption In Transit and At Rest
When using Kiwi, all of your data is sent via HTTPS. That means your data (e.g. passwords) is encrypted so it can’t be intercepted by hackers. Both our primary database and all backups are encrypted. All communication across data centers is over SSL. All servers that run Kiwi software in production are recent, continuously patched Linux systems.
Our web servers use the strongest grade of HTTPS security (TLS 1.2) so that requests are protected from eavesdroppers and man-in-the-middle attacks. Our SSL certificates are 2048 bit RSA, signed with SHA256.
Internal tier-to-tier requests are signed and authenticated to prevent request forgery, tampering, and replay.
We strive to make Kiwi a highly-available service that our customers can rely on. Kiwi runs on infrastructure that has fault tolerance and redundancy built-in. If incidents do arise, we keep our customers informed and work hard to resolve them as quickly as possible.
Hosting & Service Providers
We consider security as the primary criteria when choosing service providers to work with.
Kiwi builds on AWS Platform's compliance with leading standards for privacy and information security, including recurring re-examination by independent auditors.
Kiwi is hosted on Amazon AWS (Amazon Web Services). You can learn more about Amazon’s security here: https://aws.amazon.com/security.
Authentication is provided by Slack. You can learn more about Slack’s security overview here: https://slack.com/security.
Enterprise companies can run a dedicated instance of Kiwi isolated from any other customer. With Amazon AWS Cloud Formation, Kiwi uses a one-click self-hosting option that provides 100% control on data and network layer.
Our credit card processor has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.
Authentication to Kiwi can be handled via OAuth to Slack. You can enable 2-factor authentication on your Slack account for an added layer of security.
Access to Customer Data and Audit Policies
We have strict policies in place regarding Kiwi employee access to data you store on Kiwi. From time to time, certain employees may need to access customer data in order to diagnose and resolve issues. Whenever practical, we notify the customer and obtain written consent before doing so. We have granular audit logs in place to ensure that any access to customer data is logged.
Tableau Password Security / Tableau Data Access
Kiwi uses Amazon Key Management Services (KMS) to provide envelope encryption for all Tableau Server / Tableau Online passwords that need to be saved. Any access or change to that data is logged using Amazon AWS CloudTrail. These logs help to ensure compliance and regulatory requirements by providing details of when keys were accessed and who accessed them.
Kiwi does not have write or delete access for your Tableau system using the credentials you provide. Kiwi also does not have access to the data of Tableau views.
To provide the service, Kiwi relies exclusively on the integration tools and best practices suggested and provided by Tableau:
Permissions and access control
Kiwi customers can utilize a role-based access control (RBAC) functionality, which enables admins to limit the permissions of users within a team. In addition, Kiwi also uses a team-based access control for Tableau views to add more control on a more granular level and assign team members only the functionality and viewing permissions needed to do their job.
Additionally, everything added by admins is initially accessible only by admins and needs to be activated first before it is accessible to anyone else.
All new product features and internal processes are peer-reviewed and evaluated for their security impact before they are released to production. We strive to continuously monitor and improve our security practices in response to industry changes and customer feedback.