Behind the Scenes: How Kahuna Handles Personally Identifiable Information

By: James Sprinkle | July 11, 2018 | Kahuna

If you’ve followed the news recently, you’re likely familiar with the ongoing shifts in online privacy regulations such as GDPR which are putting extensive demands on companies that store and process personally identifiable information (PII). While we previously discussed how Kahuna is compliant with GDPR regulations, that is just one piece of the online privacy ecosystem.

As a personalization solution for marketplaces, Kahuna is entrusted by their customers to keep user information secure. It’s a responsibility we take seriously which is why we have stringent policies and safeguards in place.
Although most privacy regulations are complex and difficult to understand, especially if you’re just leveraging extreme personalization technologies within your platform, we’ve put together a (relatively) short overview of Kahuna’s stance on responsibly handling PII, and steps we take to preserve the integrity of our systems.

Kahuna’s take on data protection

Kahuna, trusted by brands such as Carousell, Mudah, Restorando, Listia, and numerous others, to orchestrate personalized messaging has taken numerous steps to comply with laws in the ever-changing data privacy landscape. From day one, Kahuna has made security a top priority in our software development processes.

We’re proud to say that we’ve maintained compliance with numerous data protection regulations and security standards such as GDPR, PCI-DSS, ISO 27001, COBIT, and NIST 800 Series, through a variety of techniques such as conducting third-party penetration tests, undergoing SOC II audits, and partnering with our clients to understand the challenges they face regarding various privacy regulations.

That being said, security and privacy protections are always evolving. As part of our commitment to being good stewards of our client’s data, we aim to take a proactive stance on these regulations, through ongoing learning and training throughout our organization.

What is personally identifiable information (PII)?

Personally identifiable information (PII) is defined as any data that could potentially identify a specific individual. This ranges from the obvious (name, address, social security numbers, and dates of birth), to more technical data (IP addresses, cookies, and device IDs).

What information does Kahuna collect and how is it handled?

Under GDPR regulations and our standard client agreements, Kahuna is considered a subprocessor and data processor, which means that clients provide us with select amounts of information which is used for us to perform our duties per our client agreements.

This information often includes, but is not limited to basic behavioral and demographic data such as search history, add to cart, purchases, bids, listed items, first name, last name, birth date, and subscription dates.
Our clients determine the scope of information provided to us. They’re also the ones who determine what is and isn’t done with their information. If Kahuna is required by applicable laws to process information in alternative ways, we will provide prompt notice.

How does Kahuna protect user information?

As part of our commitment to information security and safety, there are a few ways companies

  • User information is strictly handled on a need to know basis. As per standard procedure, the only parties who have access to user personal information are our customers.
    • If customer success teams need access to data to aid in campaign creation or troubleshooting, it can be granted to the appropriate Kahuna employee on a temporary basis and revoked when the work or issue is completed/resolved.
  • Employee workstations/laptops are equipped with remote lock and wipe functionality. The remote wipe functionality also extends to work applications installed on employee mobile devices.
  • Employees are required to enable two-factor authentication to access Kahuna’s internal networks, source code repositories, and cloud applications.
  • Employee workstations, laptops, and backup drives are encrypted using the XTS-AES-128 standard.
  • Kahuna’s digital infrastructure routinely goes through penetration testing, SOC II audits, and other proactive measures to spot trouble spots before they get out of hand.
  • Access to Kahuna’s facilities and restricted areas are controlled by keycard access.

What Privacy Standards is Kahuna Compliant With?

Kahuna is presently compliant with  GDPR, PCI-DSS, ISO 27001, COBIT, and NIST 800.

Does Kahuna employ sub-processors to assist with client data processing?

Per our standard agreements with customers, Kahuna does not subcontract any of its processing operations without written consent of the client. In the rare instances when a subcontractor is required, they are required to meet the same obligations Kahuna has to their clients.

What happens when a client engagement ends?

When Kahuna’s engagement with a client is complete, the client can request that personally identifiable information will be destroyed (within limits of relevant regulations) and/or have the personally identifiable information destroyed.

If regulations prevent the destruction of personal information, Kahuna remains committed to confidentiality, and will not process the personally identifiable information any further.

How does Kahuna handle data center security?

In order to meet the high demands of our customers, Kahuna has partnered with Google Cloud to power it’s digital systems. This means that Google’s stringent security measures apply in addition to Kahuna’s internal policies when it comes to protecting digital information.
A few core highlights of those measures include:

  • Custom-built servers which don’t include unnecessary hardware, in order to minimize vulnerability exposure.
  • Around the clock security monitoring, laser beam intrusion detection, biometric access control, CCTV systems, and more.
  • Redundant power systems and environmental controls to ensure full availability even in the event of a power outage.

Always be prepared

Security professionals all agree, no technology is completely secure. With that in mind, be prepared with a process and practice the response before you actually need it. In the event of a suspected data breach involving Kahuna systems, we will provide immediate notification. This is required by state and federal law in the USA, but also by laws in effect within the countries we operate.

We will go beyond what is required by law and provide detailed information about the impact of the suspected breach, not limited to: likely risk posed to individuals, categories and approximate number of affected individuals, and measures that should be taken by the client to mitigate further adverse effects.
In addition to these steps, Kahuna will provide timely updates regarding relevant information pertaining to the security issues.

If you have any questions about Kahuna’s compliance with global privacy regulations, please reach out to your Account Manager or contact us at Our full privacy policy can be found here.

Sign Up to Receive The Big Kahuna

A Bi-Weekly Newsletter Focused Exclusively on Online Marketplaces

  • This field is for validation purposes and should be left unchanged.

Author: James Sprinkle

James Sprinkle is Head of Engineering at Kahuna. Prior to Kahuna, he served in various engineering and IT roles at other Silicon Valley companies like Adaptive Intelligence, Yahoo!, and IBM. James received his B.S. in Computer Science and Engineering from UC Davis.

Fun fact:

James is Kahuna’s first and longest termed employee!

View all posts from this author