Security Overview
At Kernl, we maintain an enterprise-grade security posture designed to meet the needs of organisations that handle sensitive information. This page details the controls, protocols and practices we use to safeguard your data and ensure the reliability and integrity of our platform.
AI Security
| Provider | OpenAI |
|---|---|
| Model training | Kernl data is not used to train any AI models |
| Model oversight | We maintain appropriate oversight of our AI models to ensure they operate reliably, ethically, and in line with our security and privacy standards. |
| AI and the Australian Privacy Principles | For more information on the use of AI within Kernl and the Australian Privacy Principles please click here. |
Data Protection
| Data at rest | AWS KMS / SSE-S3 encryption for S3 objects. Encrypted RDS (Aurora) instances using AWS-managed keys. Disk volumes (EBS) also use AWS encryption for underlying containers if applicable. |
|---|---|
| Data in transit | TLS 1.2 or higher is enforced for all external and internal traffic. HTTPS is used for all web and API communication. Auth0 authentication tokens are transmitted securely over TLS. |
| API security | We implement secure APIs with: * Authentication: Auth0 with JWT tokens for all API access * Authorization: Role-based access controls ensuring users only access their authorized data * API Security: Rate limiting, input sanitization, and comprehensive data validation * Encryption: All data transmission uses TLS 1.2+ (as noted above) * Tenant Isolation: Strict separation between organisations' data |
| Secret management | Access to encryption keys (KMS) and secrets (Secrets Manager) is strictly controlled using AWS IAM roles and policies, following the principle of least privilege.Private keys for SSL/TLS certificates are managed by AWS Certificate Manager (ACM) and are not directly accessible. Application and infrastructure secrets (e.g., API keys, database credentials) are stored and accessed securely using AWS Secrets Manager. Database credentials leverage native Secrets Manager integration for automatic rotation. Other secrets are managed following a hybrid approach (Terraform for infrastructure, Console/CLI for values) with rotation configured as needed. |
| Intrusion detection and prevention | We utilise AWS CloudWatch for continuous monitoring of our infrastructure, collecting logs (including VPC Flow Logs, application, and database logs) and performance metrics. Potential security events or anomalies are identified through analysis of these logs and configured CloudWatch Alarms. Preventative measures include strictly configured Security Groups, application-level rate limiting, and robust input sanitisation. We plan to enhance these capabilities further by implementing dependency vulnerability scanning, AWS WAF for edge protection and AWS Inspector for infrastructure vulnerability scanning. |
Data Usage
| Data ownership | All Customer Data including any Customer Data input into the Software by Customer or generated through Customer’s use of the Software, shall belong to Customer, provided that Kernl shall have the right to access, use, and process such Customer Data to provide the Services and the functionality of the Software to Customer during the term of this Agreement |
|---|---|
| Data deletion | Data in Kernl is securely deleted either upon user request or automatically following account closure, in line with our data retention and privacy policies. |
| Data sharing | We don’t sell, rent, or provide information to third parties to help them advertise to you.Our financial interests are aligned with yours - we make money when you see value in and purchase one of our paid product offerings, It’s our view that using your personal or sensitive data in any manner other than to provide our services would be unethical and inconsistent with our values. |
Product Security
| Multi-Factor Authentication(MFA) | MFA is enforced |
|---|---|
| Single Sign On (SSO) | SSO is available by default |
| Access levels | User access within Kernl is fully configurable using a granular Role-Based Access Control (RBAC) model combined with hierarchical data scoping. This allows roles with specific permissions to be assigned via groups, restricting data visibility based on organisational structure and ensuring access aligns precisely with your security and privacy requirements. |
| User content and session data | When a user is signed into the Kernl platform (web or mobile app), we collect session and usage metadata, including IP address, browser type, device/machine type, operating system, city-level geolocation derived from IP address, and user ID. This information is shared with trusted subprocessors to support essential functions like troubleshooting, error reporting, product enhancement, and user analytics. We require our subprocessors to handle this data securely, employing measures such as encryption and hashing of identifiers where appropriate. |
| Intrusion detection and prevention | We perform routine penetration testing to uncover and remediate potential security weaknesses, helping to ensure our systems remain resilient against external threats. |
Organisational Security
| Asset inventory maintained | We maintain a comprehensive inventory of all production system assets to ensure they are properly monitored and managed. This supports a secure and well-organised environment. The inventory also includes the status of annual security assessments for assets involved in service delivery. |
|---|---|
| Confidentiality Terms | All employees, contractors and agents of Kernl must agree to confidentiality terms as part of their employment or contractor agreement before receiving access to Kernl systems or data. |
| Endpoint management | When a team member departs, we follow a structured offboarding process to promptly and securely remove their access to all systems. This helps safeguard your data and uphold our security protocols. |
| Information security training | Our employees receive ongoing training in information security at least annually, keeping everyone updated on best practices and the latest security protocols to protect your data. |
| Offboarding process formalised | We follow a defined offboarding procedure to quickly and securely remove system access for departing employees. This helps protect sensitive data and reinforces our commitment to strong security practices. |
| Information Security Management System (ISMS) | Kernl has implemented an Information Security Management System (ISMS) that reflects our commitment to protecting the confidentiality, integrity, and availability of information. Our ISMS is aligned with the principles of ISO/IEC 27001 and guides our approach to information security across the organisation. |
Infrastructure Security
| Data Storage | AWS |
|---|---|
| Data Location | Australia |
| Least permissions access control | In place |
| Segregated production environment | Our development, staging, and production environments are fully segregated to prevent unauthorized access and ensure the integrity of our live systems. |
| Web application firewall | We plan to implement a Web Application Firewall (WAF) to provide additional protection against common threats like SQL injection and cross-site scripting. Currently, these threats are mitigated through rigorous input sanitisation and Content Security Policies. |
| Network and system pardoning | We apply rigorous network and system hardening practices, including minimising attack surfaces by disabling unnecessary services, securely configuring components, and managing security patches, to reduce vulnerabilities and bolster defenses. |