Kontakt.io Security Overview

Data Security

Kontakt.io implements technical and organizational safeguards to protect personal data and Protected Health Information (PHI) in accordance with HIPAA, SOC 2, and GDPR requirements.

Encryption

Data in transit is encrypted using TLS 1.2+ across all external and internal communications.
Data at rest is encrypted using AWS-native encryption mechanisms, including:
Amazon S3 Server-Side Encryption
Encrypted EBS volumes
Encrypted RDS/Aurora databases
Encrypted backups and snapshots
Encryption keys are managed through AWS Key Management Service (KMS), backed by FIPS 140-2 validated hardware security modules (HSMs).
Access to encryption keys is restricted under strict role-based access controls and monitored.

Data Classification & Handling

Data is categorized (Public, Internal, Company Data, Customer Data including PII/PHI).
Customer data, including PHI where applicable, is logically segregated and access-controlled.
Data retention and secure disposal procedures are defined and enforced.

Audit Logging & Monitoring

Security-relevant activities are logged and centrally monitored.
Logs are retained in accordance with regulatory and contractual requirements.
Real-time monitoring and alerting are in place for suspicious or unauthorized activities.

Application Security

Kontakt.io follows secure software development lifecycle (SSDLC) practices aligned with SOC 2 and HIPAA Security Rule safeguards.

Secure Development Practices

Source code is maintained in controlled repositories with branch protections and peer review.
Static Application Security Testing (SAST) and dependency scanning are integrated into CI/CD pipelines (e.g., GitHub security scanning, AWS Inspector).
Container images are scanned for vulnerabilities prior to deployment.
Remediation timelines follow defined severity-based SLAs.

Penetration Testing

External penetration tests are conducted regularly by independent third parties.
Findings are tracked, prioritized, and remediated under formal vulnerability management procedures.

Authentication & Access Control

Role-Based Access Control (RBAC) enforces least-privilege access.
Administrative access requires Multi-Factor Authentication (MFA).
OAuth2 / OpenID Connect mechanisms secure API integrations.
Privileged access is logged and reviewed periodically.

Infrastructure Security

Kontakt.io’s production systems are deployed within Amazon Web Services (AWS) in a secure, highly controlled environment.

Cloud Security Controls

Infrastructure is deployed using Infrastructure-as-Code (Terraform) with change management controls.
Production workloads are containerized and deployed via managed AWS services (e.g., ECS/EKS).
Network segmentation, Security Groups, and Network ACLs restrict inbound/outbound traffic.
Web Application Firewall (WAF) and DDoS protections are applied where applicable.

Vulnerability Management

Continuous container and package scanning via AWS Inspector.
OS and dependency patching aligned with risk-based remediation SLAs.
Regular review of exposed services and network paths.

Business Continuity & Disaster Recovery

Encrypted backups are performed regularly.
Disaster recovery procedures are documented and tested.
Recovery objectives are defined and aligned with service commitments.

Privacy & Regulatory Compliance

Kontakt.io maintains a structured compliance program addressing:

HIPAA Security Rule and HITECH requirements
SOC 2 Type II controls
GDPR obligations, including data transfer safeguards

Regulatory Safeguards Include:

Business Associate Agreements (BAAs) with healthcare customers where required
Data Processing Agreements (DPAs) incorporating EU Standard Contractual Clauses (SCCs) where applicable
Transfer Impact Assessments (TIAs) for international transfers
Documented Incident Response Plan and breach notification procedures
Annual security and privacy training for employees
Vendor risk management and third-party security reviews

Policies are reviewed at least annually and after material changes or incidents.

About Kontakt.io

Kontakt.io is a healthcare-focused operational intelligence company leveraging AI, IoT, and RTLS technologies to improve patient flow, staff safety, and hospital efficiency.
Founded in 2013, Kontakt.io has:

+32,000 end users
+1,200 partners
+4 million IoT devices deployed

Our mission is to deliver operational predictability while maintaining the highest standards of security, privacy, and regulatory compliance.

Is there an individual responsible for information security, privacy programs, and compliance?

Responsibility for information security, privacy programs, and regulatory compliance is assigned to Lemlem Kentiba, Security & Compliance Officer. Executive oversight is provided by John Turek, CTO.

Do you maintain formal security policies and how are they managed?

Kontakt.io maintains formal, management-approved security policies and procedures that are communicated to employees and acknowledged as required. Policies are reviewed at least annually to ensure continued effectiveness and alignment with regulatory and industry standards.

Do vendors, contractors, and third parties have to comply with your security policies?

All vendors, contractors, outsourcing partners, and third parties must comply with Kontakt.io security policies and applicable customer agreements.

Do employees receive security training and are workforce access controls enforced?

Security awareness training is required at least annually for employees and applicable contractors. Kontakt.io also maintains formal onboarding and offboarding procedures to ensure appropriate access provisioning and timely revocation of system access when personnel leave.

How do you enforce least privilege and restrict system access?

Kontakt.io enforces role-based access controls (RBAC) to ensure users only have access necessary for their role. Privileged activities are controlled, logged, and periodically reviewed to support SOC 2 logical access controls and HIPAA “minimum necessary” principles.

Does the platform provide logging and monitoring to detect unauthorized activity?

Systems generate audit and error logs that record user actions, access attempts, and system events to support monitoring, detection, investigation, and response to suspicious activity.

How do you identify and remediate security vulnerabilities?

Kontakt.io conducts periodic third-party penetration testing and maintains an ongoing vulnerability management program. Findings are tracked through remediation plans and monitored until resolution.

Do you maintain incident response procedures and breach notification processes?

Kontakt.io maintains documented incident response procedures covering detection, escalation, containment, investigation, and notification in accordance with regulatory and contractual requirements, including GDPR and HIPAA/HITECH breach notification expectations.

How is customer data protected in transit and at rest?

Kontakt.io uses industry-standard encryption for data in transit and at rest. Secure authentication mechanisms and certificate-based communication are used to protect platform connections and device communications.

How do you manage data retention, cross-border transfers, and overall risk management?

Kontakt.io maintains a data retention policy aligned with legal and regulatory requirements. For international transfers of EU personal data, Kontakt.io relies on appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs) and documented transfer impact assessments (TIAs). The company also maintains cyber liability insurance as part of its risk management program.