Why GRC matters

As a provider of an enterprise-grade headless Content Management System, we are legally and contractually bound to demonstrate due care and due diligence in our operation. This covers broad aspects of our business. From the technology we are using, the data that we safeguard, and the financial statements we produce to the business we do. As discussed in the paragraphs below, we hold several certifications that require us to hold high standards internally. 

Apart from these external aspects, we also recognize the value of a good governance system. It helps us prioritize and address systemic issues. We unify and organize internal rules so that everything we do clearly leads to the fulfillment of our mission and vision. Regular discussion and clear reporting lines ensure we do not overlook any important aspect of our business.

That said, we made sure that governance does not remain just on paper. Our Executive team members are actively participating, the board of directors weighs in when needed, and there are internal committees (like Corporate Compliance Committee or Security Steering Committee) that ensure active stakeholder engagement. Instead of just annual formal sessions, we collaborate actively in working groups and meet as needed. 

Control frameworks

With a customer base spanning from the United States through Europe to Australia, we work around the clock to ensure the highest standards for data and infrastructure security. In the various geographies, the standards in question often vary, and our teams regularly review how they evolve and what becomes the most important for our customers. 

On a general level, we are committed to implementing and maintaining compliance with the following frameworks: 

• ISO/IEC 27001 with control extension covering cloud security aspects as defined in ISO/IEC 27017
• Trusted Services Criteria (by AICPA®), with assurance delivered in the form of SOC 2 Type 2 Report
• Cloud Control Matrix (by CSA®), with assurance delivered in the form of CAIQ (STAR)

For our customers in various regulated segments, we strive to provide the assurance they need depending on the particular legislation with data security requirements. We have developed guidance and responses for the following industry requirements: 

• General Data Protection Regulation (GDPR)
• Health Insurance Portability and Accessibility Act (HIPAA)
• Gramm-Leach-Bliley Act (GLBA)
• Higher Education Community Vendor Assessment Toolkit (HECVAT)

Furthermore, there is a range of standards we continuously assess ourselves against internally. Even though these do not generally include any certifications, we are open to discussing how we address them. These include: 

• National Institute of Standards and Technology (NIST) Cybersecurity Framework
• The Open Worldwide Application Security Project (OWASP®) Top 10
• Center for Internet Security (CIS®) Benchmarks

Risk management

At Kontent.ai, risk management is one of the main pillars of our security program, and we consider it essential for our operation. We have previously discussed how we address it as part of our security culture. 

Enterprise risk oversight is provided by our Corporate Compliance Committee, chaired by the CFO and consisting of representatives for all areas of risk. Reporting of Committee activity happens to both our CEO and the Board of Directors. 

The basic artifacts of our risk management cover the following items: 

• Asset inventory and Process map, which help us trace asset classifications, relations, and dependencies
• Risk Appetite Statement, a declaration of risk appetite for various types of risk
• Business Impact Analysis, covering risks related to business continuity
• Risk Analysis, the actual engine for assessing risks
• Risk Register, where all is captured, and risk owners drive and capture risk treatment actions

As risk taxonomy, we utilize risk quantification wherever possible. We have implemented Factor Analysis of Information Risk (FAIR^TM) to clearly articulate risks in dollar values to the business. Certified risk practitioners train and help all teams analyze risks so that consistency and relevance of identified risks are maintained. 

There is a clear escalation path, and treatment of risks with certain severity can only be decided at appropriate levels of the organization (e.g., VP level, Executive team, CEO, Board of directors). 

Where needed, we establish and monitor Key Risk Indicators (KRIs), which are discussed on a regular basis. 

Governed, risk-aware, and compliant

As discussed, GRC is an essential part of our internal operation. By active collaboration of stakeholders on all levels of the organization, we ensure swift resolutions of problems and the definition of sensible rules and policies. With risk quantification, we bring clarity into conversations and make important decisions on the basis of risk. Compliance with standards, frameworks, and regulatory requirements is being actively maintained and audited both internally and externally.