Security & Backup FAQ’s

KPA Flex can be accessed via a web browser or through one of the free mobile apps:

• KPA Flex for iPhone / iPad
• KPA Flex for Android

KPA Flex is a cloud-based application hosted on Amazon AWS. KPA Flex is not available as a stand-alone application to be hosted and run directly within a client’s own data center.

KPA Flex database systems are backed up several times per day, transferred securely to an AWS region 2,000 miles away (US West 2) from the primary storage, and stored under AES-256 encryption at 99.999999999% durability. Databases are also backed up by the database provider PAAS.

If your organization’s record retention policies required automatic deletion of form responses (e.g. DVIR Reports) after a period of time (e.g. 90 days) then please contact the KPA Flex Support Team to request scheduled deletion.

Cookies are a small amount of data stored on your computer or mobile device when you visit a website. Cookies are used by most service providers in order to make their websites or services work or provide reporting information. Cookies set by the service provider (in this case, KPA Flex) are called “first party cookies”. Cookies set by parties other than the website owner are called “third party cookies”. Third party cookies enable third party features or functionality to be provided on or through the website or service you are using (such as mapping). The third parties that set these third party cookies can recognize your computer both when it visits the website or service in question and also when it visits certain other websites or services.

KPA Flex uses first-party and third-party cookies for several reasons. Some cookies are required for technical reasons in order for our Websites and Services to operate. For example, once you have signed in, the system uses a first-party cookie to keep track of you so you don’t have to sign in every time you click a new link. Other first-party cookies such as ‘last-subdomain’ help KPA Flex keep track of which site you have used most recently. This allows us the system to send you to the correct site when you log in from the home page (as it is difficult for people to remember their ‘domain’). For more information on cookies, please contact the KPA Flex Support Team.

KPA Flex databases are hosted on Amazon AWS and are managed by MongoDB (the creators of MongoDB) and Heroku (owned by SalesForce). Each database is configured with replicas and automatic failovers. All connections are made over SSL, and backups are done hourly. Read more on backups.

For the sake of security and performance, no 3rd-party client access is permitted to the KPA Flex databases. Although a direct connection may be useful for client tools such as Power BI, Spotfire, or Tableau, the security and performance implications make this impossible. In any case, the complex structure of KPA Flex data makes these tools less useful than groups may expect. KPA Flex recommends using the API for accessing application data. If your group does not have an IT group that can work with the API and needs a custom report, please contact a KPA Flex customer care representative.

Client application data is made available via the secure KPA Flex API. The Roles and Permissions modules allows administrators to grant API permissions to their company’s IT individuals. Once access is granted, the IT personnel may create API tokens (via the Control Panel) which grant programatic access to read and/or write data to/from the KPA Flex API.

The API contains dozens of methods which are JSON, https endpoints for querying and accessing the data. Please visit the KPA Flex API for detailed documentation, a listing of end-points, code samples, and a web-based interface for executing API requests.

If your group needs a customized export format and does not have an IT group that can work with the API, please contact a KPA Flex customer care representative for options.

Unlike many older systems, the KPA Flex application does not run on fixed servers that must be manually rebuilt given an outage. KPA Flex uses “containerization” along with various dockerfiles, buildpacks, procfiles and other documented, pre-defined configuration scripts to dynamically create servers on-demand depending on site activity. Each time the application code is updated (several times per week), KPA Flex servers are automatically rebuilt from scratch, “warmed up”, and then a load balancer begins sending work and traffic to the new instances. Because of this process, it is a straightforward process to switch regions or even hosts should the need arise (e.g. Digital Ocean, Rackspace, etc).

This KPA Flex code repository includes information and procedures regarding disaster recovery and KPA Flex’s internal resource library houses the latest Disaster Recovery and Business Continuity Plan document.

For information on database backups, please visit the Backup Frequency & Durability section of this guide.

Note: The KPA Flex code repository is not available for public or 3rd-party access. If you have further questions regarding KPA Flex disaster recovery and business continuity policies or procedures, please contact the KPA Flex Support Team.

KPA Flex forces all client traffic (including web browser, native apps, and api connections) to use the secure https protocol which uses TLS cryptography with 256 bit RSA Encryption. All connections between processing servers and information databases also use SSL connections exclusively. Data backups are stored under AES-256 encryption with a 99.999999999% durability rating. Learn more about backups.

The KPA Flex web application and native apps are designed to be operational 24 hours per day and 7 days per week. Any planned downtime is guaranteed to provide at least 8 hours prior notice and typically happens during the lowest traffic periods (early am hours of Saturday or Sunday). At the writing of this guide, KPA Flex has not had scheduled maintenance in over a year. Any unavailability caused by circumstances beyond our control, including but not limited to, acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes or other labor problems or Internet service provider failures or delays will be addressed immediately with the highest priority.

KPA Flex does not store passwords.

Passwords are salted and hashed using a memory & CPU intensive Argon2id algorithm.

Because of this process, it is not possible to recover a password if login credentials are lost. If a password is lost then it can be reset using the “Forgot Password” link on the login page if the employee has an email address on file. The email is used to verify the owner of the account. If the employee does not have an email address listed on their profile, then another employee at the same organization (who has been granted permission via the Roles and Permission page) will be able to manually change the password on the employee’s profile page.

KPA Flex representatives are not able to recover or reset passwords over the phone as there is no way to verify the person’s identify. Companies may include contact information on the sign-in page (such as phone, email) to direct the employee who has forgotten their password.

When employee profiles are first created for your organization, the system defaults to forcing that employee to reset their password once they first sign-in to the site. This ensures that no other individual has signed in on their behalf and cuts off any further outside access. Once a password is changed, all existing logins (including the native apps) will be invalidated immediately.

KPA Flex’s information systems and technical infrastructure are hosted within Amazon AWS – a world-class, SOC 1/2/3 accredited, data center. You can read more about AWS Security or choose one of the following sub-topics:

• All Compliance Programs – including SOC 1, SOC 2, SOC 3, ISO 9001, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and more
• SOC FAQ – specifically covers AWS SOC compliance. The SOC 3 artifact is available for public download. Follow these steps to request an SOC 1 or 2 artifact from Amazon.
• AWS Security Bulletins – a live feed of any security related alerts published by AWS

NOTE: To request Amazon’s SOC 1 or 2 report, you must make a direct request to Amazon using their Artifact Management Console. This process requires you to create a free amazon account. Viewing their artifacts require you to sign a Non-Disclosure Agreement and your copy will contain a watermark identifying you as the requestor. Because of this NDA, KPA Flex cannot request an artifact on your behalf.

While KPA Flex’s customer data and processing servers are not hosted on-site, the company office is protected by a 24×7 security system, digital RFID cards, and individually keyed physical locks for each office.

For more information on KPA Flex’s security measures, see the Security & Compliance section below.

The KPA Flex Privacy Policy is available here: https://www.kpaehs.com/privacy-policy

KPA Flex deploys internal auditing and other logging tools to track access and modifications to the application and the application data. These auditing tools are not currently available to customers or third-party users. Should the need arise, a limited subset of this information may be made available to customers where the dataset is limited to the scope of the requestor’s own application data.

It is at the discretion of each organization to define roles and permissions according to their own proceedures and best practices.

The Roles and Permissions page determines each employee’s access level within a site. By default, a site will start with Employee, Manager, and Admin roles but additional roles can be added or removed. Using nearly 100 different permissions, an organization can customize the access level of each role. Each employee profile is then assigned to one specific role which dictates what data they can access or upload.

Examples of permissions include:

• Submit Reports
• View Reports
• Create or Edit Forms
• Complete Training
• Mark Training Complete
• View Equipment
• Create or Edit Equipment
• View Resources (e.g. PDFs, SpreadSheets, etc)
• Create or Edit Resources
• Import a Dataload
• Access the API

Any changes to the Roles and Permissions grid are immediately reflected within the site authorization for both web browsers and the native iOS/Android apps.

KPA Flex uses Stripe for secure credit card transactions and does not directly receive or store credit card information. Stripe accepts all major credit cards, including MasterCard, American Express, Discover, and more. Stripe is certified as a Level 1 PCI Service Provider.

For more information on Stripe security, visit https://stripe.com/docs/security/stripe.

KPA Flex is SOC 2 Type II compliant. You can view the SOC 3 compliance report here (SOC 3 is a public report of internal controls audited during the SOC 2 process).

To view the KPA Flex Subscription Agreement, please visit https://go.kpaehs.com/subscription-agreement-general.

KPA Flex offers free customer support to all subscribers and subscriber employees. Application questions and other general requests are addressed promptly during standard business hours (US Central Time). Any urgent issues such as outages are addressed immediately, regardless of the time of day or day of week. Support is available in a variety of formats including:

• Knowledge Base – nearly 100 videos and guides that walk through different aspects of the KPA Flex application including Getting Started for New Employees, Building Your First Form, Analyzing Responses, Setting up Training, and more.
• 1 (833) 497-2688 – call the KPA Flex support line with questions on sales, billing, or technical support.
• support@kpaehs.com – email our support team and you will automatically receive a support ticket. Please be as specific as possible and include screenshots, links, and any other pertinent information.
• Online Contact Form – fill out the online contact form which will help us know which account you are linked to. Please be as specific as possible with your request.

KPA Flex officially supports the latest two major releases of each major web browser. The free Google Chrome web browser is recommended. It is a faster, more stable, more secure browser and is available on all operating systems. If Chrome is not an option, any browser apart from Internet Explorer would be acceptable.

For the best experience on mobile devices, use the latest operating system. KPA Flex officially supports the latest two major operating system releases (the current one and its predecessor). Within reason, attempts are made to support previous versions but compatibility can not be guaranteed.

Starting September 1, 2020 KPA EHS will require TLS 1.2 for all browser connections. Due to known vulnerabilities in both TLS 1.0 and 1.1 they will not longer be supported. The easiest way to support TLS 1.2 is to download the free Google Chrome browser. You can verify whether your browser supports TLS 1.2 at this link.

If your organization filters web or mobile traffic, please whitelist *.kpaehs.com.

For email notifications, please whitelist *@kpaehs.com.

Learn more at https://kpaehs.com/it.