Security & Compliance

Data Security & Privacy

Overview At KyberAccess, data security and privacy are foundational to everything we build. As a visitor management platform, we handle sensitive personal information including names, government-issued IDs, photographs, contact details, and screening results. We take that responsibility seriously. Our security architecture protects your data at every stage: in transit, at rest, and in use. This guide provides a comprehensive overview of our security practices, data handling policies, compliance posture, and the privacy controls available to you as an administrator. Data Encryption Encryption in Transit All data transmitted between your devices and KyberAccess servers is encrypted using TLS 1.2 or higher. This covers web dashboard access, iPad Kiosk app communication, API calls, webhook deliveries, and email notifications. We enforce HSTS (HTTP Strict Transport Security) headers to ensure browsers always connect via HTTPS. The iPad Kiosk app implements certificate pinning for additional protection against man-in-the-middle attacks. Encryption at Rest All data stored on our servers is encrypted using AES-256 encryption, the same standard used by financial institutions and government agencies. This applies to visitor records and personal information, ID scan images and selfie photos, signed documents (NDAs, waivers), watchlist and screening data, database contents, and backup archives. Encryption keys are managed through a dedicated key management service with automatic rotation on a regular schedule. Infrastructure Security Cloud Hosting KyberAccess runs on enterprise-grade cloud infrastructure featuring: - SOC 2 Type II certified data centers - Geographic redundancy with data replicated across multiple availability zones for fault tolerance - 99.9% uptime SLA with automatic failover for high availability - DDoS protection at the network level against distributed denial-of-service attacks - Continuous monitoring for unauthorized access attempts via firewalls and intrusion detection systems Network Security - VPC isolation — KyberAccess operates in a private virtual cloud, fully isolated from other tenants - Web Application Firewall — Filters and blocks common web exploits including SQL injection, cross-site scripting, and cross-site request forgery - Rate limiting on login endpoints to protect against brute-force attacks - IP allowlisting — Enterprise customers can restrict dashboard access to specific IP addresses or VPN ranges Application Security - Annual penetration testing by independent third-party security firms - Daily vulnerability scanning for known security issues - Dependency monitoring with continuous tracking of all software dependencies for security advisories - Secure development lifecycle with mandatory code review, static analysis, and security testing for every release Authentication and Access Control User Authentication KyberAccess supports multiple authentication methods: - Email and password with enforced complexity requirements: minimum 8 characters, mixed case, numbers, and special characters - Two-factor authentication (2FA) available for all users and mandatory for administrators on Enterprise plans. Supports authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) and SMS verification codes - Single Sign-On (SSO) on the Enterprise plan via SAML 2.0 and OpenID Connect, integrating with your existing identity provider (Okta, Azure AD, OneLogin, and others) Role-Based Access Control KyberAccess implements granular role-based access: - Super Administrator — Full access to all settings, data, billing, and user management across all locations - Administrator — Full access to settings and data for their assigned locations - Location Manager — Manage visitors, devices, and reports for their location without access to billing or global settings - Front Desk — Check in and out visitors, view today's visitor list, no access to settings or reports - Security — View watchlist alerts and screening reports, approve or deny flagged visitors - Read Only — View-only access to the dashboard and reports with no ability to modify any data Enterprise customers can create additional custom roles with individually selected permissions for each feature area. Session Management - Sessions expire after 30 minutes of inactivity (configurable on Enterprise plans) - Administrators can view and terminate active sessions for any user - Forced remote logout is available from Settings > Users - All login attempts, both successful and failed, are recorded in the audit log Data Privacy What Data We Collect KyberAccess collects and processes the following categories of visitor information: - Identity information — Name, date of birth, and address from ID scanning - Contact information — Email address and phone number - Visit information — Date, time, host, purpose of visit, and duration on-site - Visual data — ID photograph, selfie, and badge photo - Screening results — Watchlist match status and health screening responses - Signed documents — NDA and waiver signatures with timestamps - Device data — Kiosk device identifier and check-in method used Data Ownership You own your data. KyberAccess processes visitor data on your behalf as a data processor. We do not sell, share, or use your visitor data for advertising, analytics profiling, or any purpose beyond providing the KyberAccess service to you. Data Retention KyberAccess provides configurable data retention policies for each category of data: - Visitor records — Default: 1 year. Configurable from 30 days to unlimited. - ID scan images — Default: 90 days. Configurable from 7 days to 1 year. - Selfie photos — Default: 90 days. Configurable from 7 days to 1 year. - Signed documents — Default: 3 years. Configurable from 1 year to 7 years. - Screening results — Default: 1 year. Configurable from 30 days to 3 years. - Activity and audit logs — Default: 1 year. Configurable from 90 days to 3 years. To configure retention policies: 1. Go to Settings > Privacy > Data Retention 2. Set the retention period for each data category based on your legal and operational requirements 3. Enable Automatic Purge to delete data beyond the retention window automatically 4. Click Save Important: When data reaches its retention limit and automatic purge is enabled, it is permanently deleted from all systems including backups. This process runs daily and cannot be reversed. Set retention periods carefully. Individual Data Deletion Administrators can delete individual visitor records at any time: 1. Navigate to Visitors and search for the record 2. Click on the visitor's profile 3. Click Delete Record at the bottom of the profile page 4. Confirm the deletion This removes all data associated with that visitor including ID images, selfie photos, signed documents, and screening results. Bulk Data Deletion For bulk operations: 1. Go to Settings > Privacy > Data Management 2. Use the Bulk Delete tool to select records matching specific criteria (date range, visitor type, location) 3. Review the records that will be affected 4. Confirm the operation Data Export (Right of Access) If a visitor requests access to their personal data: 1. Go to Settings > Privacy > Data Requests 2. Click New Request 3. Search for the visitor by name or email 4. Select Data Export 5. KyberAccess generates a downloadable archive containing all data associated with that individual 6. Review the export and provide it to the requester Full Data Portability Export all of your organization's KyberAccess data at any time: 1. Go to Settings > Privacy > Data Export 2. Select what to export: All Data, Visitors Only, or Settings Only 3. Choose the format: JSON or CSV 4. Click Generate Export 5. Download the archive when ready Compliance GDPR (General Data Protection Regulation) KyberAccess supports GDPR compliance with lawful basis configuration, consent collection during check-in with customizable text, right to erasure (deletion on request), right of access (data export on request), and a Data Processing Agreement available to all customers upon request. Enterprise customers can request EU-based data residency. CCPA (California Consumer Privacy Act) KyberAccess does not sell personal information. The platform provides consumer rights tools for data access, deletion, and opt-out. A customizable privacy notice can be displayed during the check-in process. FERPA (Family Educational Rights and Privacy Act) For schools and educational institutions using student attendance features, KyberAccess protects student records under FERPA guidelines. Parents can request access to attendance data. Directory information sharing is configurable to comply with FERPA exceptions. Industry-Specific Compliance (Enterprise) Enterprise customers have access to compliance templates and features for ITAR (defense contractor visitor screening), C-TPAT (supply chain security logging), FSMA (food manufacturing visitor tracking), and HIPAA (healthcare facility health screening data protection). Incident Response In the event of a security incident, our process follows five stages: detection through 24/7 monitoring, immediate investigation and containment by the security team, customer notification within 72 hours per GDPR requirements (or sooner per SLA), remediation with fixes and preventive measures, and a detailed post-mortem report shared with affected customers. Administrator Security Controls Audit Log Every administrative action in KyberAccess is recorded: 1. Go to Settings > Security > Audit Log 2. View a chronological record of all actions including user logins and logouts, settings changes, data exports and deletions, role and permission modifications, and device pairing events 3. Filter by user, action type, or date range 4. Export the audit log for compliance documentation IP Allowlisting (Enterprise) Restrict dashboard access to trusted networks: 1. Go to Settings > Security > IP Allowlist 2. Add trusted IP addresses or CIDR ranges 3. Enable the allowlist 4. Access attempts from non-listed IPs are denied automatically Tips for Maximizing Security - Enable 2FA for all administrator accounts — this is the single most impactful security measure you can implement - Review the audit log monthly for unusual access patterns or unexpected changes - Set appropriate data retention periods — do not keep data longer than your legal or operational requirements demand - Train front desk staff on privacy procedures since they interact with visitor data daily - Apply the principle of least privilege — give each user only the role and permissions they actually need - Respond to data access requests promptly — GDPR requires response within 30 days - Keep browsers and devices updated to protect against client-side vulnerabilities Frequently Asked Questions Where is my data stored? In SOC 2 Type II certified data centers in the United States. Enterprise customers can request data residency in the EU, Canada, or Australia. Can KyberAccess employees access my data? Access is strictly limited to authorized support personnel, only when necessary to resolve a support request, and all access is logged in our internal audit system. What happens to my data if I cancel my account? You have 30 days to export your data after cancellation. After 30 days, all data is permanently deleted from our systems including backups. Do you have a SOC 2 report available? Yes. SOC 2 Type II reports are available to Enterprise customers under NDA. Contact your account manager or sales@kyberaccess.com to request a copy. For security questions or to report a vulnerability, contact security@kyberaccess.com.