The English version is provided for reference purposes, and the legally binding Korean version shall prevail if there are any conflicts between the English and Korean versions.
Kakao Platform Service is an application program platform service that is used by companies or individuals to develop application programs, connect to Kakao’s services and be run or serviced all around the world. Kakao’s Platform Service is focused on managing, expanding and providing security for infrastructure, allowing companies or individuals to concentrate more on the development and business logic of their application. All customers have to do is take care of the business side of their applications, since Kakao applies the best security practices to platform security management. Kakao’s Platform Service protects customers from all threats by applying security controls on all layers, starting at the physical layer and up until the application program layer. The Kakao Platform Service Team and Security Team can update security matters quickly, without having to notify customers or suspend the service, in order to protect the security of our customer’s application programs.
Trust is Kakao’s core principle. We make decisions based on the standards of the day because we want to keep our promise to protect our customer’s privacy and retain their trust. Each and every employee is responsible for building trust, and the responsibility of building trust is something we take very seriously.
Most of Kakao’s physical infrastructure is hosted in our data center located in South Korea. Our data center manages risks and undergoes repeated assessment to abide by industry standards. Operations of the data center has been certified with an ISO 27001 certification.
Kakao abides by provisions in the ISO27001 and ISMS (Information Security Management System).
Security tests for a third-party’s application program, in relations with the Kakao Platform Service, is conducted under a separate agreement or arrangement by an independent and credible security consulting firm or the Kakao Security Team.
Kakao uses a data center that has earned an ISO 27001 certification. The data center has accumulated years of experience in designing, developing and operating a large-scale data center. Kakao also acquired years of know-how in providing large-scale services and stably operating physical hardware, and these experiences are directly applied to all of Kakao’s infrastructure. Security experts rigorously controls any physical access to the vicinity or building entrance using video cameras, intrusion detection systems and other electronic or electrical means. All visitors and contractors are required to present their identification cards, gain access into the facilities by a dedicated employee, and monitored throughout their visit.
Access to, and information on the data center is limited to employees who have the right and qualification to access the data center for legitimate business needs. The employee shall immediately lose access if they no longer require the rights for business needs. The employee’s physical and electrical/electronic access to the data center shall be logged on a regular basis and monitored.
Automatic fire detectors and extinguisher are installed to minimize risks. The fire detection system uses fire detection sensors in all data center facilities, including areas that have mechanical, electrical and electronic infrastructures, cooling chambers and generator equipment rooms. These areas are also protected by wet pipe sprinkler systems.
The data center’s electrical power system is designed to be completely dualized and can be maintained 24-7 without interrupting the operations of the data center. The uninterruptible power supply (UPS) device offers a back-up power supply to continuously operate the facilities’ important and basic functions when an electrical issue occurs. The data center uses a generator to provide back-up power throughout the facility.
Temperature control helps prevent servers from overheating and decreases service interruptions, and is needed to maintain a consistent temperature for service operation. Air quality in the data center is controlled to the optimum level. The monitoring system and data center manager makes sure the temperature and humidity is maintained at a certain level.
The data center manager constantly monitors electrical/electronic and mechanical equipment and equipment maintenance systems, and immediately identifies problems when it occurs. Equipment maintenance is conducted as a preventive measure to maintain equipment’s continued operability.
Firewalls are used to restrict external networks from accessing internal systems. As a rule, all access is rejected. However, ports and protocols that are explicitly approved for business necessities are an exception. Each system is allocated to a firewall security group, depending on the system’s function. In order to prevent any risks, security groups only allow access to ports and protocols that are needed for the system’s specific functions.
Intrusion detection systems are used to analyze and detect, in real-time, abnormal and aggressive packets that exist between external networks and internal systems.
Measures have been prepared to prevent DDoS attacks, including TCP SYN flood attacks and restricting connections. Immediate actions are enforced to respond to arising events. Kakao also works closely with a specialized agency to prevent advanced DDoS attacks.
Spoofing and packet sniffing is all prohibited in our infrastructure. Any spoofing and sniffing that occur is immediately reported and blocked. Our firewalls and intrusion detection system also blocks IP, MAC and ARP spoofing between the network and virtual host. Packet sniffing is also prevented in infrastructures that include hypervisors that blocks traffic into network interfaces other than their own. Kakao uses encrypted connection in all levels for heightened protection against risks.
Port scanning is prohibited by Kakao’s infrastructure provider, and all reported instances are investigated. If a port scanning is detected, that attack is put to a halt and access is restricted.
The scope of end user of application programs that use the Kakao Platform Service are limited to those inside the application program. Therefore, data is only valid inside that application program, is saved separately per application program, and is isolated from other application programs in order to prevent risks that arise due to unauthorized access from one application program to another.
System configuration and consistency is continuously updated to the latest and most stable version. Security updates are considered a top priority and are conducted after a security test. During this process, the existing system is usually discarded and replaced with the most recently updated system.
Access to the operating system is limited to the Kakao staff who is associated with that system. A user name and key authentication is also required to access the system. All operating systems are accessed with the Kerberos authentication and is defended from various hacking attacks that can arise during log-ins. Such access is also tracked. In addition, direct access from external networks are prohibited.
Kakao’s vulnerability management process is designed so that it can re-adjust risk factors without interfering with customer interaction or any of the customer’s services. Kakao is notified of any vulnerabilities through internal and external assessments, system patch monitoring, and/or third party mailing lists or services. Each vulnerability is reviewed to see if it can be applied property to Kakao’s current configured environment. A list of priorities is created, with the highest risk vulnerability at the top of the list. A dedicated security team and other appropriate teams are then allocated to resolve the issues.
All database associated with the application program is backed up daily, as a duplex configuration. If a database failure occurs, service can be sustained with the system that is backed up is real-time, and any lost data can be restored with the last snap shot.
If a failure occurs, the Kakao Platform Service dynamically restores the customer’s application program and database automatically through a duplex configuration.
The Kakao Platform Service is designed with stability and scalability in mind, and to minimize the basic issue of functions stopping during system restoration. The Kakao Platform Service is configured in duplicate in order to prevent single-point failures and maintained so that elements that causes failures can be replaced. Multiple data centers are also used for restoration. Kakao carefully reviews issues in the platform to identify the root cause and influence the issues have on customers, and also makes constant improvements in the platform and process.
Kakao has an announced Privacy Policy that has clearly prescribed provisions on the type of data that is collected, and how that data is used. Kakao exerts our best effort to protect our customers’ personal information and for enhanced transparency.
Kakao enforces several step-by-step measures to protect customer’s personal information and data saved in the platform. The Kakao Platform Service has embedded defensive measures that include authentication, access control, encrypted data transmission, HTTPS support from customer’s application program and saved data encryption. Please refer to the Privacy Policy for details.
Kakao employees do not access or interact with customer data and/or application programs for general operations. Kakao may have to interact with customer data or application programs in order to provide support upon the request of the customer, or if required by law.
Security vulnerability reports can be submitted to pf.security@kakaocorp.com. Non-emergency inquiries can be posted on DevTalk.
HTTPS must be used to protect all sensitive data that is transmitted to and from the application program.
All sensitive data that is saved as a file, or in the database, must be encrypted.
Strong passwords must be used in accounts and certification keys to prevent access from unauthorized accounts. Certificate keys must be saved safely in order to prevent it from being exposed, and any keys that are lost or exposed must be replaced. The invite function in the team setting of the application program that is provided by the Kakao Platform Service must be used, rather than sharing the developer account.
While developing the application program on the Kakao Platform Service, you may also have to use a service offered by Amazon S3, an email service provider or a third party that provides a specific feature. You must always be mindful of Kakao’s principles related to data sharing, as well as cases related to security, and try to abide by those principles when using services provided by third party providers.