Information Security Management

Owned by Danil Chernovalov (Unlicensed)
Last updated: Feb 03, 2023 by Thibaut Moinecourt
4 min read

We understand the value of the organization's information integrity and availability, that is why Konverso pays special attention to information security management. Our team strives to ensure the robust protection of both our intellectual property and clients' data. This document describes the features and processes put in place in Konverso to best protect the application data.

 

Company

Konverso is a French startup creating virtual agents (chatbots). Our virtual agents provide clients with the first level support: answering employees' questions on technical or HR issues.

In 2020 the global analyst firms ranked Konverso as one of the top 10 IVA vendors.

Contact us

Cyber security insurance details

91880073398 underwritten by Company:

  • AXA France IARD

  • 313 Terrasses de l’Arche

  • 92727 Nanterre Cedex

Team

Data Protection Officer

The appointed Data Protection Officer (DPO) is Amédée Potier. In addition to managing the company security, he is in charge, as the CTO, of all important decisions on tools, purchases, architecture issues, and processes that are associated with the IT.

Any internal or external questions related to data protection should be sent to dpo@konverso.ai.

Monthly security awareness meetings

The DPO is running monthly security review team meetings with all employees to review key security-related procedures and best practices. As part of the preparation for this meeting, the CEO and the DPO review the current administrator privileges and adjust them, if necessary, in accordance with the defined rules.

Data

Backup

Konverso’s recovery strategy:

  • We make environment backups at least once every 24 hours.

  • Backup hosts are designed to be in a region different from the VM to be backed up.

  • Backups are encrypted. Only the team members who are granted access to the environment may have access to the key to decrypt the backup data.

  • Solution configuration and settings are stored in Bitbucket customer repositories with versioning and access restrictions.

  • With the database and solution code, any environment can be recreated and returned to full functionality in less than 2 hours.

To summarize our recovery strategy:

  • RPO is 24 hours

  • RTO is 2 hours

We run random full recovery tests on one customer environment at least once per quarter.

Data location

All Konverso customer data is stored in the Microsoft Azure cloud environment, running in region requested by the customer. We currently have instances running in different continents.

Sensitive data

Our customers are using our software to provide employees with HR and IT services. In the scope of our application, users and the chatbot might exchange user information during a conversation. There are only IT or HR-related questions, which can be considered sensitive; however, there is no payment, credit card, or salary information shared.

Retention

Our application allows organizations to define the data retention period. User data that is older than the retention period is automatically deleted.

Contact us if you wish to set a specific data retention period for your organization.

Application code

Various processes are put in place to protect the application code against any tampering or inclusion of any malware.

Source control access

  • The source code is managed in the secured source code control environment in Atlassian BitBucket.

  • Only selected and qualified engineers are the members of the group with Bitbucket Write permissions.

  • All projects are organized in distinct groups for the core product, solutions, and customer solutions.

  • Only the team members that really require access to a particular group are granted access to that group.

Source code review

No code change can take place without the creation of a pull request and corresponding code review. Approval and review comments are all tracked.

Any code change must be associated with a development ticket that describes the purpose of the change. No code change can be done without a related ticket and a clear purpose that was agreed to in the sprint planning.

Third-party code

We carefully select the third-party code (such as open-source packages) that is embedded inside our application.

  • An internal request ticket is created for integrating new third-party code.

  • License and source packages are reviewed for approval by the Konverso CTO/DPO.

  • The open source package is downloaded only from known and trusted sources.

  • Selected package versions are documented, so customers can review the list of third-party products.

Data Segregation

Distinct network subnets, VMs and source code repositories are used for:

  • Development environment (accessed by Konverso developers), not including customer data.

  • Production environments (accessed by our customers and our consultants).

    • For the dedicated environment: we use one distinct set of VMs and a distinct subnet per customer solution.

    • For mutualized (multitenant) environments such as Koji or K365, the data is segregated within the database using tenant information in our database schema.

Furthermore, on typical customer deployment, there is data segregation between production and non-production, using distinct hosts for the production and pre-production environments.

Third-party data sharing

Some Konverso Kbot features leverage external services. If these are enabled, some user data can be shared with these external applications and the related customer is notified of such data sharing.

Microsoft Cognitive Services Speech to Text

In case a user activates the Speech to Text feature, the user’s recorded voice is sent to the Microsoft Azure environment, located in Western Europe. This feature may be turned on or off in your configuration.

Microsoft Cognitive Services Text to Speech

In case a user activates the bot’s voice function, the bot responses are sent to the Microsoft Azure environment, located in Western Europe. This feature may be turned on or off in your configuration.

Pandora Bot

If the user inputs a “social chatting” sentence, this sentence is sent for evaluation to the social chatting engine powered by Pandorabots. This feature may be turned on or off in your configuration.

Search Engines

If the search on public content such as Microsoft Support or Google Support database is active, the user input can be sent for evaluation to one or several search engines:

  • Google Search: for search on the content of the selected site.

  • Microsoft Search.

This feature may be turned on or off in your configuration.

Regulatory compliance

We are GDPR compliant:

  • We only store customer data that is required;

  • There is a mechanism in place to delete particular user data;

  • There is a retention mechanism;

  • The administrator has an opportunity to review the collected data through the Profile view.

Send an email to dpo@konverso.ai if you want us to fully delete any user, customer or tenant-related data.