Kubewise

Security Policy

Last Update: December 17th, 2024

1. Introduction

Kubewise is committed to protecting the security and privacy of our users' data. This security policy outlines the measures we take to ensure the confidentiality, integrity, and availability of the data we collect and process.

2. Data Collection and Usage

2.1 Types of Data Collected

  • Personal Data: Name and email address.

  • Company Data: Credit card and billing address. Credit card information is stored securely with Stripe.

  • Cluster Data: Information from Kubernetes clusters regarding applications running on them.

2.2 Data Collection Methods

  • Cluster Data: Collected via the Kubewise agent installed in the user's cluster.

  • User and Company Information: Collected through user prompts in the interface or via OAuth2 if the user opts for it.

3. Data Storage

  • Infrastructure: Data is stored in a private cloud infrastructure.

  • Storage: Most collected data is stored in a SQL database, as well as in object storage bucket.

4. Data Processing

  • Processing Methods: Data is processed on user demand, which can be scheduled.

  • Third-Party Access: No third-party vendors have access to the data collected.

5. Security Measures

5.1 Encryption

  • In Transit: Data is encrypted using HTTPS with TLS1.2+ for user/Kubewise agent connections and mutual TLS for internal communications (TLS1.3).

  • At Rest: Data is encrypted both in transit and at rest.

  • Principle of least privilege: Our infrastructure follow the least privilege rule where each internal service only have the minimum access they need to function properly.

  • Password Storage: User passwords are stored encrypted using a strong hashing algorithm (when not authenticated with OAuth2).

5.2 Access Control

  • Role-Based Access Control (RBAC): Administrators can select the role of each user. Please refer to the documentation for more information.

5.3 Security Audits

  • Internal Audits: Kubewise uses its own solution to audit its infrastructure security.

  • External Audits: We are planning on conducting regular external security audits.

6. Compliance

  • GDPR Compliance: Kubewise complies with GDPR regulations to ensure the protection of personal data.

7. User Management

7.1 Authentication

  • OAuth2: Users can connect using OAuth2 via Google.

  • Multi-Factor Authentication (MFA): MFA is currently not implemented but is planned for future enhancements.

7.2 Authorization

  • Role-Based Access Control (RBAC): Administrators can select the role of each user to control access to data and features.

8. User Data Requests

8.1 Data Access

  • Access Methods: Data is accessible directly via the platform.

8.2 Data Deletion

  • User data: User data will be automatically deleted when the user account is deleted.

  • Cluster data: Collected data from cluster is automatically deleted when the cluster is deleted.

9. Third-Party Integrations

9.1 Stripe Integration

  • Payment Processing: Kubewise integrates with Stripe for payment processing using their provided SDK.

  • Data Sharing: Only the minimum necessary information is sent to Stripe to process payments.

  • Security: Stripe is regularly audited for security (PCI certified). More information on their website.

10. Communication

10.1 Policy updates

  • Website Updates: Security policy updates will be posted on the Kubewise website.

  • Email Notifications: Users subscribed to email updates will be notified of significant changes to the security policy.

11. Future Plans

  • Security Audits: Kubewise plans to conduct an external security audit.

  • Enhancements: Continuous improvement of security measures and features.

12. Contact Information

If you have any questions or concerns about this Privacy Policy, please contact us at hello@kubewise.io or via mail: Nephely, 5 rue des suisses, 75014 Paris, France.