September 19, 2018
A Checklist for Improving Buyer and Seller Engagement
If you’ve followed the news recently, you’re likely familiar with the ongoing shifts in online privacy regulations such as GDPR which are putting extensive demands on companies that store and process personally identifiable information (PII). While we previously discussed how Kahuna is compliant with GDPR regulations, that is just one piece of the online privacy ecosystem.
As a personalization solution for marketplaces, Kahuna is entrusted by their customers to keep user information secure. It’s a responsibility we take seriously which is why we have stringent policies and safeguards in place.
Although most privacy regulations are complex and difficult to understand, especially if you’re just leveraging extreme personalization technologies within your platform, we’ve put together a (relatively) short overview of Kahuna’s stance on responsibly handling PII, and steps we take to preserve the integrity of our systems.
Kahuna, trusted by brands such as Carousell, Mudah, Restorando, Listia, and numerous others, to orchestrate personalized messaging has taken numerous steps to comply with laws in the ever-changing data privacy landscape. From day one, Kahuna has made security a top priority in our software development processes.
We’re proud to say that we’ve maintained compliance with numerous data protection regulations and security standards such as GDPR, PCI-DSS, ISO 27001, COBIT, and NIST 800 Series, through a variety of techniques such as conducting third-party penetration tests, undergoing SOC II audits, and partnering with our clients to understand the challenges they face regarding various privacy regulations.
That being said, security and privacy protections are always evolving. As part of our commitment to being good stewards of our client’s data, we aim to take a proactive stance on these regulations, through ongoing learning and training throughout our organization.
Personally identifiable information (PII) is defined as any data that could potentially identify a specific individual. This ranges from the obvious (name, address, social security numbers, and dates of birth), to more technical data (IP addresses, cookies, and device IDs).
Under GDPR regulations and our standard client agreements, Kahuna is considered a subprocessor and data processor, which means that clients provide us with select amounts of information which is used for us to perform our duties per our client agreements.
This information often includes, but is not limited to basic behavioral and demographic data such as search history, add to cart, purchases, bids, listed items, first name, last name, birth date, and subscription dates.
Our clients determine the scope of information provided to us. They’re also the ones who determine what is and isn’t done with their information. If Kahuna is required by applicable laws to process information in alternative ways, we will provide prompt notice.
As part of our commitment to information security and safety, there are a few ways companies
Kahuna is presently compliant with GDPR, PCI-DSS, ISO 27001, COBIT, and NIST 800.
Per our standard agreements with customers, Kahuna does not subcontract any of its processing operations without written consent of the client. In the rare instances when a subcontractor is required, they are required to meet the same obligations Kahuna has to their clients.
When Kahuna’s engagement with a client is complete, the client can request that personally identifiable information will be destroyed (within limits of relevant regulations) and/or have the personally identifiable information destroyed.
If regulations prevent the destruction of personal information, Kahuna remains committed to confidentiality, and will not process the personally identifiable information any further.
In order to meet the high demands of our customers, Kahuna has partnered with Google Cloud to power it’s digital systems. This means that Google’s stringent security measures apply in addition to Kahuna’s internal policies when it comes to protecting digital information.
A few core highlights of those measures include:
Security professionals all agree, no technology is completely secure. With that in mind, be prepared with a process and practice the response before you actually need it. In the event of a suspected data breach involving Kahuna systems, we will provide immediate notification. This is required by state and federal law in the USA, but also by laws in effect within the countries we operate.
We will go beyond what is required by law and provide detailed information about the impact of the suspected breach, not limited to: likely risk posed to individuals, categories and approximate number of affected individuals, and measures that should be taken by the client to mitigate further adverse effects.
In addition to these steps, Kahuna will provide timely updates regarding relevant information pertaining to the security issues.
A Bi-Weekly Newsletter Focused Exclusively on Online Marketplaces