Security policy

Our customers trust us with access to sensitive and valuable data to do our jobs. We take this responsibility very seriously. This document outlines our policies for being responsible stewards of this data.

Please send any question or comments to

Last update: May 22, 2017 .

Our security philosophy

At MadKudu, we hold ourselves to a set of principles that guide every engineering and operational decision.

We treat your data like our data

We share our own internal business data with 3rd parties and expect them to adhere to a high level of security standards. We hold ourselves to this same level.

We follow industry best practices

The overwhelming majority of security issues can be avoided by following industry best practices: password policies, anti-virus software, encryption, access control. We adhere to them.

Policy reviews

We review and update this security policy every quarter to ensure we are current with best practices.

Our last review was in May 2017. The next one will be in August 2017.

Policy details

Access control

Data access is controlled on a need-to-know basis based on an employee's responsibilities.

Two-factor authentication is used for all cloud services when available.


All data in-transit is encrypted. We use https for all web app and API calls. SSL is used for all database queries. All third-party credentials are encrypted at-rest and in transit.

Data sharing

We don't share customer data with 3rd parties without a written agreement, with the exception of:

  • We store and process data on Amazon AWS
  • We store data in a MongoDB database hosted by IBM /
  • We send email address and domain (separate from any other information) to Clearbit for data enrichment

Personal Identifiable Information (PII)

We only store the data we need and that is already available in other systems (analytics, CRM...).

We do not ask for Social Security Numbers, Credit Card informations, user passwords...

Data deletion

Data is immediately deleted when a customer cancels.

Customer data will be deleted upon request to

Security training

We conduct security training for each new employee and repeat it annually.

Malware and anti-virus protection

We install malware and anti-virus protection software whenever prudent based on risk and best practices.

Access logging

We log accesses to all hosts and databases and retain access logs for a minimum of one year.

Incident management procedure

We will notify customers about any confirmed security or privacy breach as soon as possible. We provide assessment and mitigation reports within:

  • 24 hours for a critical events.
  • 2 business days for non-critical events.