Earning Your Trust
Compliance
Kaseya recognizes our customers need to understand and verify the robustness of controls that assure the confidentiality, integrity and availability of your data. With Kaseya’s governance, risk and compliance team, we drive attainment and maintenance of industry-recognized security and privacy standards and frameworks.
SOC 2 TYPE II
Kaseya conducts SOC 2 Type II audits and receives assessor reports that validate the operating effectiveness of internal controls that govern our IT Complete modules, infrastructure and business operations for the Trust Services Principles of Security, Integrity, Availability, Confidentiality and Privacy.
SOC2 Type II attestation reports, or SOC3 reports, meet the needs of a wide range of stakeholders (e.g., customers, regulators, business partners, suppliers, directors, etc.) that need a thorough understanding and confirmation of the presence of internal controls that assure one or more of the Trust Service Principles.
Kaseya may, from time to time, deliver new IT Complete modules and services to market, whether through acquisition or other means, that have not been SOC2 Type II audited. In such cases, we will work diligently to deliver this same standard of verification in future.
Compliance Qualified
Datto, A Kaseya company is also dedicated to ensuring its products, processes and technologies meet or exceed key industry compliance requirements, including, SOC 2 Type 2 as well as the following privacy regulations: GDPR, CCPA, and the EU-U.S. Privacy Shield. Customers can download the SOC3 Reports of Datto products below. Attestation and other governance, compliance, and risk management inquiries can be sent to [email protected].
ISO 27001
Kaseya requires that the datacenter facilities used in the delivery of our IT Complete modules and services are certified and maintained to the ISO 27001 standard.
HIPAA
Kaseya offers IT Complete modules and services to entities that are subject to the Healthcare Insurance Portability and Accountability Act (HIPAA). Depending on how Kaseya modules are used by a covered entity, we may be considered a business associate. In such circumstances, Kaseya will enter into a Business Associate Agreement contract that outlines expectations and requirements of both parties to keep protected health information (PHI) private and secure.
To request a Business Associate Agreement please contact your Kaseya account manager.
Penetration Testing
Security validation processes, throughout the software development lifecycle, are necessary to identify and correct weaknesses that may exist in IT Complete modules ahead of threat actor discovery. As penetration testing is one of the most integral security validation processes that exist, Kaseya leverages expertise from both external partners and full-time staff to conduct penetration testing.
External Penetration Testing Partnerships
Kaseya has standing relationships with best-in-class service providers that conduct annual external penetration tests (pentests) for our IT Complete modules.
Internal Penetration Testing Expertise
Kaseya employs a team of experts that specialize in web application hacking and penetration testing to conduct more frequent and rigorous penetration tests of Kaseya IT Complete modules and services. These in-house tests allow us to validate IT Complete modules more than once annually, which is an exceptional practice.
Information Security Strategy
We work every day to address the evolving threat landscape and its associated cyber risks for ourselves, our customers and those that our customers depend upon. Successful management of cyber risk and preparation for evolution in threats requires strong tactical execution and a long-term commitment to improving cyber resilience. We formalize our commitment and strategy in the Information Security Strategic Plan, which allows us to design our information security program capabilities to address the realities of both today and tomorrow.
Vision
Kaseya’s Information Security vision is to be known for our unwavering commitment to cybersecurity and the protection of our customers’ and company’s data. We aim to create a secure digital environment where innovation can flourish, and our customers can trust in the safety of their information. We envision a future where our team is empowered to make a tangible impact on the cyber security landscape and our organization is recognized as a model for best practices in cyber security.
Mission
Kaseya’s Information Security mission is to protect the livelihood of our customers and company from cyber threats.
Strategic Plan
Kaseya’s Information Security Strategic Plan (“The Strategic Plan”) sets forth strategic objectives that outline long-term areas for continued focus and maturation of information security at Kaseya. The Strategic Plan is reviewed and updated annually by the Kaseya CISO. The Strategic Plan is instrumental in assuring information security is an aligned business activity, and we are unified organizationally in our approach to securing ourselves and our customers against current and future threats and cyber risks.
Product Security
Kaseya’s IT Complete platform consists of unique modules that are purposely compartmentalized from each other to ensure the highest levels of security, reliability and continuity for our customers. Each IT Complete module is developed, monitored and secured independently.
Authentication
Kaseya IT Complete modules are capable of Multi-Factor Authentication (MFA) configuration to enhance security protection for login credentials and prevent account takeover via compromised credentials. Single Sign-On (SSO) is supported, which allows customers to adopt their own authentication security practices to access Kaseya IT Complete modules.
Role-Based Access Control
Kaseya IT Complete modules provide customers with the ability to implement role-based access control and apply the principle of least privilege to manage and secure user access.
Secure Software Development Lifecycle (SSDLC)
Kaseya IT Complete modules are developed using a formal and documented software development lifecycle with software security activities integrated into planning, design, build, review, release and maintenance stages. The activities include source composition analysis, open-source software scanning, secrets management, penetration testing, secure code review, static and dynamic application security and vulnerability testing, and quality assurance unit and regression testing, amongst others.
Data Protection
Customer data processed or stored by Kaseya is classified as the highest sensitivity in Kaseya’s data classification model. We do this to assure the strongest protections for all customer data, regardless of what the underlying data is or how customers may classify it. This highest sensitivity classification requires that we deploy the highest degree of reasonable security controls and protections in pursuit of customer data protection. We employ layers of physical and technical capabilities supported by people, process and technology to keep data secure.
Data Segmentation
Kaseya protects customer data from inappropriate use or loss. We use production systems that are kept logically separate from internal IT systems. For any multi-tenant IT Complete modules, we implement logical data segmentation and processing through technology controls designed specifically to assure data confidentiality.
Platform Security
Kaseya uses a defense-in-depth strategy with hardened software and operating systems to protect data. Kaseya conducts regular assessments to ensure systems’ cyber hygiene and operating fitness to support IT Complete modules.