Security Policy
Last Updated: April 9, 2025
Kuralox is committed to protecting the security of our platform, the data entrusted to us by our users, and the integrity of our services. This Security Policy describes the technical and organizational measures we implement to safeguard information processed through our online learning platform at kuralox.com.
By using our services, you acknowledge that you have read and understood this Security Policy. We encourage you to review this document periodically, as it may be updated to reflect changes in our security practices.
1. Scope
This policy applies to all systems, services, infrastructure, and personnel involved in the operation of the Kuralox platform. It covers:
- All web-based services and applications accessible via kuralox.com
- Backend infrastructure and data storage systems
- Internal tools and administrative interfaces
- Third-party integrations and vendor relationships
- All personnel who access, process, or manage platform data
2. Data Protection Principles
We process and store data in accordance with the following core principles:
- Confidentiality: Data is accessible only to authorized individuals and systems with a legitimate need.
- Integrity: Data is protected from unauthorized modification, corruption, or deletion.
- Availability: Systems and data remain accessible to authorized users when needed, with minimal unplanned downtime.
- Accountability: All access and changes to sensitive data are logged and attributable to specific actors.
3. Infrastructure Security
3.1 Hosting and Environments
Our platform is hosted on reputable cloud infrastructure providers that maintain high standards of physical and logical security. Production, staging, and development environments are isolated from one another to prevent cross-environment data exposure.
3.2 Network Security
We apply network-level controls to restrict unauthorized access to our systems, including:
- Firewalls and network segmentation to limit traffic to necessary ports and protocols
- Intrusion detection and prevention systems monitoring for anomalous activity
- DDoS mitigation measures at the network and application layers
- Private networking for internal service-to-service communication where possible
3.3 Physical Security
Physical access to data centers and server infrastructure is managed by our hosting providers, who maintain industry-standard physical security controls including badge access, surveillance, and environmental monitoring. We do not operate our own physical data centers.
4. Data Encryption
4.1 Encryption in Transit
All data transmitted between users and our platform is encrypted using Transport Layer Security (TLS). We enforce the use of modern TLS versions and strong cipher suites, and we disable outdated or insecure protocols. HTTPS is required for all connections to our web services.
4.2 Encryption at Rest
Sensitive data stored on our systems is encrypted at rest using industry-standard encryption algorithms. This includes databases, file storage, and backup archives. Encryption keys are managed using secure key management practices and are rotated periodically.
4.3 Password Storage
User passwords are never stored in plain text. We use strong, adaptive one-way hashing algorithms with salting to store password data, ensuring that even in the event of a data breach, original passwords cannot be easily recovered.
5. Access Control
5.1 Principle of Least Privilege
Access to systems, data, and administrative interfaces is granted on a least-privilege basis. Users and internal personnel are given only the minimum permissions necessary to perform their designated functions.
5.2 Authentication
We require strong authentication for access to sensitive systems and administrative interfaces. This includes:
- Enforced password complexity requirements
- Support for multi-factor authentication (MFA) for user accounts
- Mandatory MFA for all internal and administrative access
- Session expiration and secure token handling
5.3 Role-Based Access
Access privileges are managed through role-based access control (RBAC). Roles are defined based on job function and business need. Access rights are reviewed periodically and revoked promptly when no longer required, including upon termination of employment or contract.
5.4 Third-Party Access
Any third-party vendors or contractors who require access to our systems are subject to access controls equivalent to those applied internally. Access is scoped, time-limited, and logged.
6. Application Security
6.1 Secure Development Practices
Our development team follows secure coding guidelines throughout the software development lifecycle. Security considerations are integrated into design, development, testing, and deployment stages.
6.2 Vulnerability Management
We conduct regular vulnerability assessments of our platform and infrastructure. Identified vulnerabilities are prioritized and remediated in accordance with their severity level. Critical vulnerabilities are addressed as a matter of urgency.
6.3 Dependency Management
Third-party libraries and software dependencies are actively monitored for known security vulnerabilities. Updates and patches are applied in a timely manner to minimize exposure to publicly disclosed risks.
6.4 Security Testing
We perform security testing activities including code reviews, automated static analysis, and periodic penetration testing by internal or qualified external testers. Findings are tracked and resolved through a defined remediation process.
6.5 Common Web Vulnerabilities
Our application is designed and tested to defend against common web application vulnerabilities, including but not limited to those outlined in the OWASP Top 10, such as injection attacks, cross-site scripting (XSS), cross-site request forgery (CSRF), and insecure direct object references.
7. Monitoring and Logging
7.1 System Monitoring
Our infrastructure and applications are continuously monitored for performance anomalies, error conditions, and potential security events. Automated alerting is configured to notify our operations and security teams of unusual activity.
7.2 Audit Logging
Access to sensitive data and critical system functions is logged. Logs include information such as the identity of the actor, timestamp, action performed, and affected resource. Logs are stored securely and retained for an appropriate period to support security investigations and compliance requirements.
7.3 Log Integrity
Audit logs are protected from unauthorized modification or deletion. Access to raw log data is restricted to authorized personnel with a legitimate operational or security need.
8. Incident Response
8.1 Incident Management Process
We maintain a documented incident response process that defines how security incidents are identified, escalated, investigated, and resolved. Our incident response team is trained to respond to a variety of security event types.
8.2 Detection and Containment
Upon detection of a suspected security incident, our team takes immediate steps to assess the situation, contain any ongoing threat, and prevent further unauthorized access or data exposure.
8.3 User Notification
In the event of a security incident that affects user data, we will notify affected users without undue delay through appropriate communication channels. Notifications will include information about the nature of the incident, the data affected, and recommended actions for users to protect themselves.
8.4 Post-Incident Review
Following resolution of a significant security incident, we conduct a post-incident review to identify root causes, assess the effectiveness of our response, and implement improvements to prevent recurrence.
9. Business Continuity and Data Backup
9.1 Backup Procedures
We perform regular automated backups of platform data and critical system configurations. Backups are encrypted and stored in geographically separated locations to protect against localized failures.
9.2 Recovery Testing
Backup restoration procedures are tested periodically to verify that data can be recovered successfully and within acceptable timeframes in the event of a failure or disaster.
9.3 Service Continuity
We maintain contingency plans to ensure continued availability of our core services in the event of infrastructure failures, outages, or other disruptive events. These plans are reviewed and updated regularly.
10. Vendor and Third-Party Security
We evaluate the security posture of third-party vendors and service providers before integration or data sharing. Our due diligence process considers factors such as the vendor's security certifications, data handling practices, and breach notification procedures.
We maintain contractual agreements with key vendors that include appropriate data protection and security obligations. Vendor relationships are reviewed on an ongoing basis to ensure continued alignment with our security requirements.
11. Employee Security
11.1 Security Awareness
All personnel with access to platform systems or user data receive security awareness training as part of their onboarding and on an ongoing basis. Training covers topics such as phishing recognition, secure password practices, data handling, and incident reporting.
11.2 Confidentiality Obligations
All employees and contractors are bound by confidentiality obligations that restrict unauthorized disclosure or use of platform data and proprietary information.
11.3 Access Revocation
Access credentials and permissions for departing employees or contractors are revoked promptly upon termination of their engagement. Regular access reviews are conducted to identify and remove stale or unnecessary permissions.
12. User Responsibilities
While we implement extensive security measures on our end, users also play an important role in maintaining the security of their accounts and interactions with our platform. We ask that users:
- Use strong, unique passwords for their Kuralox account and avoid reusing passwords across services
- Enable multi-factor authentication if available for their account
- Keep their login credentials confidential and do not share account access with others
- Log out of their account when using shared or public devices
- Be cautious of phishing attempts and verify the authenticity of any communications claiming to be from Kuralox
- Promptly report any suspicious activity related to their account or the platform
Kuralox cannot be held responsible for security incidents arising from a user's failure to maintain reasonable security practices for their own account.
13. Reporting Security Vulnerabilities
We take vulnerability reports seriously and encourage responsible disclosure from security researchers and members of the public. If you believe you have discovered a security vulnerability in our platform, please report it to us as soon as possible.
To report a vulnerability, contact us at:
- Email: help@kuralox.com
Please include a detailed description of the vulnerability, steps to reproduce it, and the potential impact. We request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and address it. We are committed to working with reporters in good faith and will acknowledge receipt of valid reports promptly.
14. Compliance and Certifications
We are committed to aligning our security practices with recognized industry standards and frameworks. Our security program is designed with reference to widely accepted best practices for information security management.
We continuously assess our compliance posture and work to address gaps as our platform and regulatory environment evolve.
15. Changes to This Policy
We may update this Security Policy from time to time to reflect changes in our security practices, technology, or applicable standards. When we make significant changes, we will update the "Last Updated" date at the top of this document.
We encourage users to review this policy periodically. Continued use of our platform following an update to this policy constitutes acceptance of the revised terms.
16. Contact Us
If you have any questions, concerns, or requests related to this Security Policy or our security practices, please contact us using the information below:
| Contact Method | Details |
|---|---|
| Company | Kuralox |
| Address | Nezalezhnosti Ave, 96, Chernivtsi, Chernivtska, Ukraine, 58000 |
| Phone | +38 (054) 221-97-88 |
| help@kuralox.com | |
| Website | kuralox.com |