We at Kassa take the security of your retail data very seriously. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security.

We place strict controls over our employees access to the data you and your users make available via the Kassa services, as more specifically defined in your agreement with Kassa covering the use of the Kassa services (“Data protection“), and are committed to ensuring that Customer Data is not seen by anyone who should not have access to it. The operation of the Kassa services requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with the Kassa services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so and only by your permission. We have technical controls and policies in place to ensure that any access to Customer Data is always logged. All of our employees and contract personnel are bound to our policies regarding Customer Data and we treat these issues as matters of the highest importance within our company.

Kassa employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive security policy covering the security, availability, and confidentiality of the Kassa services.

Customer data for all accounts are accessed via secure protocols such as HTTPS and SSH. Additionally, all passwords are encrypted on our servers and databases. We run a dedicated environment behind firewalls with constant monitoring. All software is updated regularly to ensure the latest security patches.

For more information check out our infrastructure sub-processors.

In addition to the work we do at the infrastructure level, we provide retailers of the Kassa services with additional tools already available in the standard plan to enable their own users to protect and restrict user access to their Customer Data. If that is not enough for you, Kassa can provide additional and customized software components upon Customer´s request to suit their retail needs.

Detailed access logs are available both to users and administrators of Kassa retailer and is provided in standard solution. We log every user access time, the IP address of the connection and domain to provide the best overview of accessing done by the retailer users while using Kassa services.

The administrators of the Kassa retailer stores can review access logs for the whole retail chain. All access attempts are also logged as successful or unsuccessful to provide better insight on the logging situations. In addition, operations undertaken by the users in Kassa services are also being logged.

All login operations to Kassa services are only possible via our implemented and tested for security methods. The user access to Kassa services can be managed and configured only by the administrators of the Kassa retail chain. This means that even if the retailer has leaked any login credentials, they can not be used out of the provided privileges of the compromised user or even to log into other services without having rights to do so. Upon successful login the user is provided with authorization token which allows to access the specific Kassa service. The token will be valid only temporarily and after certain time of inactivity the user must re-login to acquire new and valid authorization token.

Kassa has made tools available for the Kassa retailer which will allow the privileged user to manage other users and the data of the retailer´s customer. Kassa believes that every piece of data you insert into Kassa services belongs to you and hence no restrictions are set to data management whether it is customers data, employees or users.

Kassa provides the retailer with option to get their all data destroyed after they have ended their subscription at Kassa. This includes data in Kassa services and all the backups created by us. The Customer is provided with several tools to export their data out from Kassa during the active subscription and access to data is also provided over the Kassa Inventory API. Kassa also manages backups on the behalf of the customer and in case of data incident by either party, the data can always be restored.

The Kassa services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit. All the Customer Data is encrypted at rest – we encrypt the data between all our services with latest SSL encryption making it impossible to steal any information while the data is in transit between the Customer and Kassa. We monitor the changing cryptographic landscape closely and work promptly to upgrade the services to respond to new security weaknesses as they are discovered and implement best practices as they evolve.

All the connections are being monitored by the Kassa personnel in the background. Kassa also has extra security measures in place to detect the possible malicious activities over the network and specific guidelines have been worked out to tackle such obstacles before they emerge.

We understand that being a retailer is 24/7 job and you as a retailer rely on the Kassa services to work. We’re committed to making Kassa a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for failures of individual servers or even entire data centers. Our operations team tests disaster-recovery measures regularly and staffs an around-the-clock on-call team to quickly resolve unexpected incidents.

Customer Data is stored redundantly at multiple locations in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. To avoid a major disaster from happening and to provide best response time of the Kassa services, all the traffic is directed through the load balancing and is accordingly optimized, avoiding possible response delays and server crashes. The Operations team is alerted in case of a failure with our services. Backups are fully tested to confirm that our processes and tools work as expected.

In addition to monitoring and logging, we have implemented secure server access across our products. Firewalls are configured according to industry best practices and unnecessary ports are blocked by configuration with AWS Security Groups.

We perform vulnerability scans on our hosts and remediate any findings that present a risk to the security of our services. We enforce production-specific security measures like screens lockouts, training our personnel on security and its measures, usage of the secure hardware for production, making high-risk tasks and systems only available from VPN connection or only on our premise, engaging with secure workplace access methods and many more.

In the event of a security breach, Kassa will promptly notify you of any unauthorized access to your Customer Data. Kassa has incident management policies, guidelines and procedures in place to handle such events.

New features, functionality, and design changes go through a security review process by our development team. In addition, our code is audited with automated static analysis software, tested, and manually peer-reviewed prior to being deployed to production. The products we provide are designed to be secure, hence no data is provided by our services before authorization has been successfully concluded. Depending on the selected solution, the data fetched from our services will never remain on the user´s device in form which it could be used without the required authorization beforehand. Kassa carries out additional security checks from time to time to detect any additional missed security leaks in our products.

All our 3rd party processors are selected via thorough decision making process where we evaluate the suitability of the external service provider in multiple criterions such as security features and measures, SLA conditions, service performance and availability and many more to assess the suitability and if the 3rd party is capable of of being up to the recommended industry standards. In addition, we only host servers with Customer data in the same region as the Customer.

As our business grows and evolves, the functionality and security measures we provide may also change. Please check back frequently for updates.