Last Modified: July 4, 2025This Information Security Addendum (the “Addendum”) sets forth the technical and organizational measures for the protection of Content processed by Kernel (if applicable) or data (if any) provided by Customer to Kernel in connection with the delivery of Support Services (if applicable) (collectively “Customer Information”).Kernel shall maintain an information security program that is designed to protect the security, confidentiality, and integrity of Customer Information (the “Kernel Information Security Program”). The Kernel Information Security Program will be implemented on an organization-wide basis. The Kernel Information Security Program will be designed to ensure Kernel’s compliance with data protection laws and regulations applicable to Kernel’s performance under the applicable Agreement (including any Data Processing Addendum), and shall include the safeguards set below, which substantially conform to the ISO/IEC 27002 control framework (the “Kernel Information Security Controls”).
1.1 Audits and Certifications. Engage independent third-party auditors to assess the Kernel Information Security Program as described in the following audits and certifications on at least an annual basis:SOC 2 Type II
2.1 Shared Responsibility Model. Kernel adheres to a shared responsibility model for its hosted offerings. Kernel maintains specific security responsibilities, while customers are responsible for managing their data and access.
3.1 Kernel. Create services for customers to create browser automation scripts and run them in browser environments managed by Kernel Technologies, Inc.
4.1 Governance. Kernel assigns to an individual or a group of individuals appropriate roles for developing, coordinating, implementing, and managing Kernel’s administrative, physical, and technical safeguards designed to protect the security, confidentiality, and integrity of Customer Information.4.2 Security Personnel. Kernel uses data security personnel that are sufficiently trained, qualified, and experienced to be able to fulfill their information security-related functions.4.3 Risk Assessments. Kernel conducts periodic risk assessments designed to analyze existing information security risks, identify potential new risks, and evaluate the effectiveness of existing security controls.4.4 Risk Prioritization. Kernel maintains risk assessment processes designed to evaluate likelihood of risk occurrence and material potential impacts if risks occur.4.5 Information Security Policies. Kernel creates information security policies, approved by management, published and acknowledged by all employees.4.6 Information Security Policy Review. Kernel reviews and updates policies at planned intervals to maintain their continuing suitability, adequacy, and effectiveness.4.7 Data Classification. Kernel maintains a data classification standard based on data criticality and sensitivity.4.8 Data Retention and Destruction. Kernel maintains policies establishing data retention and secure destruction requirements.4.9 Asset Ownership. Kernel implements procedures to clearly identify assets and assign ownership of those assets.4.10 Compliance. Kernel establishes procedures designed to ensure all applicable statutory, regulatory, and contractual requirements are adhered to across the organization.
5.1 Information Security Policy Acknowledgement. Kernel creates information security policies, approved by management, published and acknowledged by all employees.5.2 Information Security Awareness Training. Kernel requires all employees to undergo security awareness training on an annual basis.5.3 Personnel Agreements. Kernel requires personnel to sign confidentiality agreements and acknowledge Kernel’s information security policy, which includes acknowledging responsibilities for reporting security incidents involving Customer Information.
6.1 Cloud Service Providers. Kernel uses Hosting Service Providers that have:6.1.1. Physical Security. Implemented controls designed to restrict unauthorized physical access to areas containing equipment used to provide Kernel.6.1.2 Environmental Security. Maintain equipment used to host Kernel in physical locations that are designed to be protected from natural disasters, theft, unlawful and unauthorized physical access, problems with ventilation, heating or cooling, and power failures or outages.
7.1 Logical Access Control. Kernel maintains technical, logical, and administrative controls designed to limit access to Customer Information. Unique usernames and passwords are required for authentication.7.2 Privileged Access Restriction. Kernel restricts privileged access to the Customer Data to authorized users with a business need.7.3 Access Review. Kernel reviews personnel access rights on a regular and periodic basis. Access to production environments is reviewed at least quarterly.7.4 Access Revocation. Kernel maintains policies requiring termination of access to Customer Information within 24 hours of employee termination.7.5 Multi-Factor Authentication. Kernel implements access controls designed to authenticate users and limit access to Customer Information, including multi-factor authentication.7.6 Cryptographic Key Management. Kernel implements encryption key management procedures.7.7 Encryption in Transit. Kernel encrypts Customer Information in transit using a minimum of SSL with SHA 256 or TLS 1.2 with strong ciphers.7.8 Encryption at Rest. Kernel encrypts Customer Information at rest using a minimum of AES-256 with strong ciphers.7.8.1 Encryption Key Rotation. Kernel utilizes Hosting Service Provider managed keys that are rotated at least annually.7.9 Separation of Environments. Kernel requires internal segmentation to isolate production systems hosting its cloud services from non-production environments.7.10 Vulnerability Testing. Kernel performs periodic network, infrastructure, and application vulnerability testing.7.11 Penetration Testing. Kernel performs network and application penetration testing at least annually.7.12 Technical Vulnerability Management. Kernel implements procedures to document and address vulnerabilities discovered during vulnerability and penetration tests.7.13 Network Security Reviews. Kernel requires periodic reviews and testing of network controls.7.14 Workstation Security. Kernel centrally manages workstations via endpoint security solutions for deployment and management of end-point protections.7.15 Local Separation of Customer Environments. Customer environments are logically separated.7.16 Change Management. Kernel assigns responsibility for security, changes and maintenance for all information systems processing Customer Information.7.17 Change Authorization. Kernel tests, evaluates and authorizes major information system components prior to implementation for its cloud services.7.18 Secure Development. Kernel maintains and follows a secure development lifecycle for the development of the software that is hosted and made available.7.19 System Monitoring. Kernel monitors the access, availability, capacity and performance of its cloud services, and related system logs and network traffic using various monitoring software and services.7.20 Security Incident Response Procedures. Kernel maintains incident response procedures for identifying, reporting, and acting on Security Breaches.7.21 Security Incident Reporting. If Kernel becomes aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Information, Kernel shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 48 hours after becoming aware and in accordance with Section 7 of the Data Processing Addendum.7.22 Security Incident Response Tabletop. Kernel exercises the incident response process on a periodic basis.7.23 Security Incident Response Improvement. Kernel implements plans to address gaps discovered during incident response exercises.7.24 Incident Response Team Kernel establishes a cross-disciplinary security incident response team.7.25 Business Continuity Plans. Kernel establishes, documents, implements and maintains processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.7.26 Business Continuity Tests. Kernel conducts scenario-based testing annually.
