Server Centers and Security. 
 
The security of the Kilpi platform starts from the quality and security of the data centres from where the platform is installed and running. 
Data Centres are certified that they meet the highest standards set out by ISO and the Payment Card Industry Data Security Standard (PCI DSS). 
Security of Kilpi App and centralized software for staging and managing the platform and application and 
General Certification of Data Centres 
 
ISO 9001:2015 specifies requirements for a quality management system when an organization: 
a) needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and 
b) aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements. 
All the requirements of ISO 9001:2015 are generic and are intended to be applicable to any organization, regardless of its type or size, or the products and services it provides. 
 
ISO 22301 Security and resilience: 
This document specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise. 
The requirements specified in this document are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity. 
This document is applicable to all types and sizes of organizations that: 
a) implement, maintain and improve a BCMS; 
b) seek to ensure conformity with stated business continuity policy; 
c) need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption; 
d) seek to enhance their resilience through the effective application of the BCMS. 
This document can be used to assess an organization's ability to meet its own business continuity needs and obligations. 
 
ISO 27001 Information security management: 
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature. 
 
SOC 2 Type II Data security and privacy: 
A company that has achieved SOC 2 Type II certification has proven its system is designed to keep its clients’ sensitive data secure. When it comes to working with the cloud and related I.T. services, such performance and reliability is absolutely essential and increasingly required by regulators, examiners, and auditors. 
 
PCI-DSS Information security: 
The Payment Card Industry Data Security Standard (PCI DSS) is an established information security standard which applies to any organization involved in the processing, transmission, and storage of credit card information. Created and overseen by an independent agency, the PCI Security Standards Council (PCI SSC), PCI DSS is designed to improve the security of payment card transactions and to reduce credit card fraud. 
PCI DSS consists of twelve requirements, organized under six major objectives delineated by the PCI SSC. Every requirement is a specific common sense security step that helps businesses satisfy the relevant objective. The objectives and associated requirements are as follows: 
1. Build and maintain a secure network 
o Install and maintain a firewall configuration to protect cardholder data 
o Do not use vendor-supplied defaults for system passwords and other security 
parameters 
2. Protect cardholder data
o Protect stored cardholder data 
o Encrypt transmission of cardholder data across open, public networks 
3. Maintain a vulnerability management program 
4. Use and regularly update anti-virus software or programs 
5. Develop and maintain secure systems and applications 
o Implement strong access control measures 
6. Restrict access to cardholder data by business need to know 
7. Assign a unique ID to each person with computer access 
o Regularly monitor and test networks 
o Restrict physical access to cardholder data 
8. Track and monitor all access to network resources and cardholder data 
o Maintain an information security policy 
9. Regularly test security systems and processes 
10. Maintain a policy that addresses information security for all personnel