Skip to content
menu-toggle
menu-close

Data Security

At Koalify, we understand the responsibility of handling sensitive data from other companies. Data security is our top priority, and we maintain full transparency about where your data is stored and how it is processed. Below, we provide an overview of our data flow, architecture, and security measures.

 

1. Overview

The following diagram offers a concise overview of the critical components involved in processing and accessing your data.

Koalify Data Architecture

2. Where data is stored

The data is stored on a managed PostgreSQL database hosted by DigitalOcean LON1 (London) datacenter. This database resides within a private network and can only be accessed via IP whitelisting.

Access to the database is limited to:

  • The Kubernetes cluster managing application operations. 
  • A single developer who must whitelist their IP for each session.

Data is encrypted both at rest and in transit, using industry-standard protocols. Communications to and from the database are protected by TLS with a CA certificate, ensuring data confidentiality and integrity.

All data resides in a datacenter that has following certificates:

  1. SOC2 TYPE II
  2. ISO 14001
  3. ISO/IEC 270001:2013
  4. ISO 50001
  5. PCI-DSS

The database has an uptime SLA of 99.99%. For more information about the database service, refer to DigitalOcean Managed Databases - PostgreSQL.

 

2. How data is processed

Data processing occurs within a containerized application running in a Kubernetes cluster, which shares the private network with the PostgreSQL database. This setup ensures secure communication between the application and the database, with all communication encrypted via TLS.

Our application enables deduplication of client records in HubSpot by:

  • Identifying and reporting duplicate records.
  • Synchronizing and merging records through background processes that communicate with HubSpot.

This functionality is accessible through a public TLS-encrypted API.

All processing resides in a datacenter that has following certificates:

  1. SOC2 TYPE II
  2. ISO 14001
  3. ISO/IEC 270001:2013
  4. ISO 50001
  5. PCI-DSS


All processing happens on droplets, which have an uptime SLA of 99,99%. For more information about the processing refer to DigitalOcean Droplets and Digital Ocean Kubernetes.

 

3. How access is authorised

We enforce robust authorization mechanisms to ensure secure and tamper-proof access to your data:

  1. OAuth Authentication: Communication to HubSpot happens through the HubSpot OAuth Authentication flow.
  2. Request signature verification: Communication to Koalify happens by only accepting untampered requests that come directly from HubSpot by validating the signature header.
  3. Short-Lived tokens: Once a verified request is made from HubSpot to Koalify, a short-lived token will be generated that allows the user to do subsequent requests as long as it's valid. This token is used to communicate with the settings app.

There are thee public API endpoints:

  1. https://hook.koalify.io: Handles webhooks from HubSpot only.
  2. https://api.koalify.io: Handles API requests from HubSpot, or using a short-lived token.
  3. https://app.koalify.io: Processes authenticated user interactions via HubSpot or short-lived tokens.

This approach ensures secure and controlled access to the data while leveraging HubSpot’s robust authentication mechanisms.

 

5. Security Monitoring

Our systems are continuously monitored using the Aikido security platform, which includes:

  • Software Composition Analysis (SCA)
  • Supply Chain Posture Management (SCPM)
  • Static Application Security Testing (SAST)
  • Secrets Detection
  • Infrastructure as Code (IaC) Scanning
  • Container Image Scanning
  • Malware Detection

This comprehensive monitoring ensures vulnerabilities are identified and addressed promptly.

 

4. IT-Policies

Our IT policies are designed to prioritize privacy and security at every level:

  • Privacy and Security First: see our Privacy Policy and Data Processing Addendum.
  • Controlled Access: Access to production systems is limited to authorized personnel via IP whitelisting or SSH keys.
  • Encryption: Data is always encrypted at rest and in transit.
  • Least Privilege Principe: Access is granted only to authorized personnel with a clear business need.
  • Secure Communication: All interactions with the Koalify platform are secured and authenticated using OAuth, HubSpot request verification, and short-lived tokens.
  • Secret Management: All secrets are managed through a dedicated platform Doppler and are always encrypted in the cluster.
  • Compliance:
    • We comply with the General Data Protection Regulation (GDPR) as the minimum standard for protecting user data and ensuring privacy rights.
    • Measures include obtaining explicit consent, allowing users to manage their data, and secure handling of personal information in line with GDPR requirements.

 

3. HubSpot Certified

The HubSpot Quality and Security team has reviewed and certified Koalify's technical setup, ensuring compliance with their strict security and quality standards.

Certified App Badge - Twitter Landscape - 1024 x 512px

 

 

 

If you have any more questions we are happy to answer them in full transparency at security@koalify.io.