Kurtosys Systems Inc. uses some specific partners and vendors (third-parties) to assist in providing the products and services it delivers to customers, i.e. third-parties with operating roles. Some of these are involved in providing indirect, commoditised services with no data processing role. Others are engaged in direct, specific data processing activity.
Indirect access means that they do not have access to any Customer Data by design. Should they bypass controls and contractual obligations, they may gain access to Customer Data without our consent. This would constitute a deliberate act and would not be the result of an accidental action.
Direct access means that they have a role with least privilege that enables them to access selective Customer Data on a routine or temporary basis to perform certain actions or services within our platform.
Prior to engaging any indirect or direct third-party provider with an operating role, Kurtosys apply a risk assessment process to evaluate suitability, ensure that the third-party is able to perform the functions required and that they are compliant with security and confidentiality practices which may apply. We expect third-parties to be able to demonstrate a suitable level of certification to confirm this. We also maintain a continuous process of monitoring and reviewing third-party actions.
We also execute agreements with our third-party service providers, which include terms that, at a minimum:
Kurtosys will remain responsible for its compliance with the obligations of any applicable agreements with Customers and for any acts or omissions of the third-party that cause Kurtosys to breach any of its obligations under those agreements.
We encourage customers to understand how these third parties operate and use data in the context of our products and services we provide in order to determine whether this creates any operational concerns in data processing.
The third-parties below provide: cloud infrastructure services; web site content management; authentication mechanisms; customer marketing activities; SLA monitoring:
Indirect 3rd parties. These provide services to Kurtosys Systems which impact all customer hosting:
|Rackspace Inc.||Infrastructure and datacentre|
|Amazon Web Services||Infrastructure and datacentre|
|Microsoft Azure||Infrastructure and datacentre|
|Alert Logic||Threat Monitoring services|
|Akamai||WAF, DDoS, edge caching services|
Direct 3rd parties. These provide additional data processing services to Kurtosys Systems which may be used in some customer applications as appropriate to the implementation
|Duo Security||Multi factor authentication of users|
|Nurture Agency||Web Site content management and administration|
|Bitbucket||Content repository and backup of configuration|
|Ghost Inspector||Web content checking and monitoring|
|Runscope||Web content checking and monitoring|
Kurtosys has the discretion to update the third-party list at any time in a manner that is consistent with the requirements of our products and services. When we do, we will provide notice to customers in normal review processes (roadmap announcements, project reviews, etc) and revise the updated date at the bottom of this page. We encourage users to frequently check this page for any changes. You acknowledge and agree that it is your responsibility to review this periodically and become aware of modifications.
If you have any questions about this policy, please contact Kurtosys Systems at:
134 Fifth Avenue, 3rd Floor, New York NY 10011
Tel: +1 646 838 2030
77 Kingsway, London WC2B 6SR
Tel +44 (0)800 029 1410
This document was last updated in May, 2018.