Security Practices


Keeping customer data safe and secure is a huge responsibility and a top priority for Kutano. We work hard to protect our customers from the latest threats. We store all our own sensitive information on the same servers our customers do. We don’t want our information compromised, so we’re motivated by self-preservation as well. Aligning our goals with your goals is the best way to see eye-to-eye on the need to keep everything as secure as we can.

Access Control and Organizational Security

All our employees and contractors sign confidentiality agreements before gaining access to our code and data. Everybody at Kutano is trained and made aware of security concerns and best practices for their systems. Remote access to servers is via our VPN using two factor authentication, and limited to workers who need access for their day to day work.

Cloud Security

Data Center Physical Security

Kutano hosts Service Data in Microsoft Azure data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn about Compliance at Azure.

Azure on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn about Azure physical security.

Vendor Security

Kutano minimizes risks associated with third-party vendors by performing security reviews on all vendors with any level of access to our systems or Service Data.

Network Security

Dedicated Security Team

Our Security Team is on call 24/7 to respond to security alerts and events.


Our network is protected through the use of key Azure security services, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.


Our network security architecture consists of multiple security zones. More sensitive systems like database servers are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply.

Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Third-Party Penetration Tests (In Process)

In addition to our extensive internal scanning and testing program, each year Kutano employs third-party security experts to perform a broad penetration test across the Kutano Production and Corporate Networks.

Intrusion Detection and Prevention

Service ingress are instrumented and monitored to detect anomalous behavior.

DDoS Mitigation

Kutano is architected with the use of Azure scaling and protection tools provides deeper protection along with our use of Azure DDoS specific services.

Logical Access

Access to the Kutano Production Network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Kutano Production Network are required to use multiple factors of authentication.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.


Encryption in Transit

All communications with Kutano UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Kutano is secure during transit. Additionally for email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any use of in-product SMS functionality.

Encryption at Rest

Service Data uses Azure Storage with Microsoft-managed keys. Data in Azure Storage is encrypted and decrypted transparently using AES-256 encryption (FIPS 140-2 compliant)..

Availability and Continuity


Kutano maintains a publicly available system-status webpage, which includes system availability details, scheduled maintenance, service incident history, and relevant security events.


Kutano employs service clustering and network redundancies to eliminate single points of failure.

Disaster Recovery

Our Disaster Recovery program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

Application Security

Secure Code Training

Annual secure code training for all engineers, based on OWASP Top 10 security risks.

Framework Security Controls

Kutano leverages modern and secure frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Separate Environments

Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.

Vulnerability Management

Software Composition Analysis

We scan the libraries and dependencies used in our products to identify vulnerabilities and ensure the vulnerabilities are managed.

Third-Party Penetration Testing (In Process)

In addition to our extensive internal scanning and testing program, Kutano employs third-party security experts to perform detailed penetration tests.

Product Security

Authentication Options

Kutano has several different authentication options: subscribers can enable native Kutano authentication, and/or Enterprise SSO (SAML) for end-user authentication. Learn about user access.

2-Factor Authentication (2FA)

Kutano native authentication offers 2-factor (2FA) for end users via SMS or an authenticator app. Learn about 2FA.

Role-Based Access Controls

Access to data within Kutano is governed by role-based access control (RBAC) and can be configured to define granular access privileges. Kutano supports various permission levels for users (owner, admin, contributor, commenter, etc.).

Information Classification

Information is a critical resource at Kutano. To ensure that we meet customer, industry, regulatory, and privacy standards, and to reduce the risk that restricted or sensitive information is accidentally released to unauthorized parties, we follow a structured four-tier data classification system:

Public – This information is approved for public release by our Marketing team. Disclosing this information would not be a problem for Kutano, its customers, or business partners.

Internal Use Only* – This information is intended for use within Kutano, and in some cases with other affiliated organizations, such as business partners or vendors. Unauthorized disclosure of this information may be a violation of laws and regulations or may otherwise cause problems for Kutano, its customers, or business partners.

Confidential – This information is private or otherwise sensitive in nature and is restricted to those with a legitimate business need for access. Unauthorized disclosure of this information may be against laws and regulations, or may cause significant problems for Kutano, its customers, or business partners.

Secret – This information is the most private or otherwise sensitive, and is monitored and controlled at all times. Unauthorized disclosure of this information to people without a legitimate business need for access may be against laws and regulations and will cause severe problems for Kutano, its customers, or business partners.

  • If information is not explicitly assigned a data classification (i.e. is not labeled), it is categorized Internal Use Only by default.