/
kencha Security Policy

kencha Security Policy

This document explains our security policy. While it’s not possible to guarantee that incidents will never happen, we work diligently to keep your data secure.

Data handling of your data

Please see our Privacy Policy concerning how we manage your data.

Our approach to develop secure software

We conduct code reviews to detect vulnerabilities prior to merging and deployment. Additionally we validate and routinely review permissions for all managed resources and we manage all code changes using Git, providing a clear and auditable history for production releases.

Our approach to keep secure communications

We apply modern security best practices to safeguard data, including SSH key-based server access, encrypted HTTPS/TLS communications, and the prohibition of clear-text data transmission.

Our approach to keep data secure

Our websites are hosted on IONOS SE, while our cloud applications and storage are hosted on the Atlassian Cloud Service.

All data is encrypted at rest and in transit. Employee devices and backup media are secured using full-disk encryption technologies such as Apple FileVault 2.

Data hosting of your data

Please see our Privacy Policy concerning how we store your data.

How we handle a vulnerability

Important: If you notice a vulnerability, please submit a report to Report Incident

  • If a vulnerability is confirmed, we notify Atlassian.

  • If a breach results in unauthorized access to or alteration of customer data, we notify the relevant GDPR authority within 72 hours: Hessische Beauftragte für Datenschutz und Informationsfreiheit (poststelle@datenschutz.hessen.de).

  • If an external party gains access to or modifies customer data, we also inform the affected customers directly.

  • If a breach allows only users within the same customer account to access or modify data they are not permitted to (a permission violation), we determine whether to notify customers via release notes when delivering the next version, or to contact them directly.

We detect vulnerabilities through penetration testing and automated dependency scanning tools, including npm audit and Maven Dependency Check, which is based on NIST and OWASP vulnerability data.

Please note that automated tools frequently flag potential issues in widely used industry libraries, regardless of whether our software is actually affected. As a result, we do not publish a report for every alert. Instead, we either upgrade the affected library or ensure that our software does not use the vulnerable feature. Our release process prevents any software from being deployed until these issues are resolved.

If a vulnerability appears critical—specifically, if it could allow unauthorized access to or modification of customer data—we investigate its potential impact on customer data and follow the incident response process described above.