Kepito - Advanced BIM Metadata Analytics for Autodesk Construction Cloud

Information & Data Security Policy

Last updated: 13th December 2024

Kepito is committed to implementing comprehensive information security measures to protect your BIM data and personal information. This policy outlines our security framework, technical safeguards, and organisational practices designed to ensure the confidentiality, integrity, and availability of your data.

We understand that your BIM data represents significant intellectual property and competitive advantage. Our security practices are designed to meet enterprise standards whilst remaining transparent about our approach and any limitations as we continue to grow and improve our platform.

1. Information Security Objectives

1.1 Core Security Principles

Our information security management is built on industry-standard principles to ensure comprehensive protection of your data and maintain the highest levels of security across all platform operations.

Confidentiality

Only authorised personnel have access to information. We implement strict access controls and data encryption to prevent unauthorised disclosure.

Integrity

Data accuracy and completeness are maintained through validation checks, audit trails, and protection against unauthorised modification.

Availability

Information is accessible to authorised users when needed through redundant systems, monitoring, and incident response procedures.

1.2 Scope and Application

This policy applies to all information systems, data, and personnel involved in the operation of the Kepito platform, including:

Information Assets

Customer BIM data and metadata
Personal information and account data
Platform source code and algorithms
System configurations and documentation

Personnel Coverage

All Kepito employees and contractors
Third-party service providers
System administrators and developers
Customer support representatives

2. Technical Security Controls

2.1 Data Encryption and Protection

Data at Rest

AES-256 encryption for all stored data
Encrypted database storage systems
Secure key management and rotation
Protected backup encryption

Data in Transit

TLS 1.3 for all API communications
HTTPS enforcement across all endpoints
Certificate pinning for critical connections
End-to-end encryption for sensitive operations

2.2 Access Control and Authentication

User Authentication

Strong password requirements
Multi-factor authentication support
Session management and timeout controls
Account lockout protection

System Access

Role-based access control (RBAC)
Principle of least privilege
Regular access reviews and audits
Automated access provisioning/deprovisioning

3. Organisational Security Measures

3.1 Security Training and Awareness

All personnel with access to information systems must complete comprehensive security training to understand their responsibilities and maintain security awareness.

Training Requirements

Annual security awareness training
Role-specific security training
Incident response training
Data handling best practices

Ongoing Awareness

Security bulletin communications
Phishing simulation exercises
Security incident case studies
Regular security reminders

4. Security Monitoring and Incident Response

4.1 Continuous Security Monitoring

Real-Time Monitoring

24/7 system and network monitoring
Automated threat detection alerts
Performance and availability monitoring
Security event correlation and analysis

Audit and Logging

Comprehensive audit trails for all activities
User access and authentication logging
System and configuration change tracking
Data access and modification logs

5. Business Continuity and Disaster Recovery

5.1 Service Availability and Resilience

We design our infrastructure for resilience and implement multiple layers of redundancy to maintain service availability and protect against various failure scenarios.

Infrastructure Redundancy

Multi-region deployment capabilities
Load balancing and auto-scaling
Database replication and clustering
Network failover mechanisms

Data Protection

Automated backup systems
Point-in-time recovery capabilities
Cross-region backup replication
Regular recovery testing

As a growing platform, we strive for high availability whilst being transparent about our current capabilities. We target reliable service delivery and are continuously improving our infrastructure and processes. Whilst we work toward enterprise-grade availability, we may experience occasional service interruptions as we scale and enhance our platform.

6. Compliance and Security Standards

6.1 Security Framework Alignment

Our security practices are designed to align with recognised industry standards and frameworks, providing a solid foundation for information security management.

Security Frameworks

ISO 27001 principles for information security management
NIST Cybersecurity Framework guidelines
OWASP security best practices for web applications

Data Protection

GDPR compliance for EU data protection
Privacy by design principles
Data minimisation and purpose limitation

As we continue to grow, we are working toward formal security certifications and compliance validations. Whilst we implement security practices aligned with industry standards, we are transparent that formal certifications are part of our roadmap rather than current achievements.

7. Security Incident Reporting and Contact Information

7.1 Security Incident Reporting

If you discover a security vulnerability or suspect a security incident, please report it immediately through our dedicated security channels. We take all security reports seriously and will investigate promptly.

Security Email:security@kepito.com

Urgent Issues:Mark email as "URGENT - SECURITY INCIDENT" for immediate attention

Response Time:We will acknowledge security reports within 24 hours

7.2 Security Questions and Compliance Enquiries

For general security questions, compliance enquiries, or information about our security practices, please contact us through the following channels:

Security Officer:security@kepito.com

Privacy Officer:privacy@kepito.com

General Enquiries:admin@kepito.com

Website:https://kepito.com

We are committed to transparency and will provide detailed information about our security practices to support your organisation's security and compliance requirements.

This Information & Data Security Policy is effective as of 13th December 2024, and supersedes all previous versions.