Kraken Trust Centre

At Kraken, your trust and security are our top priorities. We are committed to maintaining the highest standards of data protection, privacy, and compliance. Our Trust Center is designed to provide you with transparent and comprehensive information about our security practices, policies, and compliance efforts.

We regularly monitor and assess our security program to meet and exceed compliance and regulatory requirements.

DATA SECURITY

Creating an advanced operating system and cutting edge connections for utilities wouldn’t be possible without investing in the security and privacy of our systems, protecting our clients’ data and our business operations.

Kraken has in place security controls to protect our platform, organisation and data, with key security measures including:

• Infrastructure security for our Kraken Platform, based on Amazon Web Services security capabilities and industry leading cybersecurity products

• Secure Software Development Practices integrated into our Continuous Integration and Continuous Delivery (or Deployment) (“CI/CD”) workflow, with security testing and vulnerability analysis performed before, during and after deployment

• Embedded operational security capabilities leveraging automation and machine learning to respond to incidents

Encryption

Our platforms have been designed with confidentiality in mind, and Kraken encrypts  client’s data at rest (using Advanced Encryption Software (“AES”) -256) and in transit (using Known secure TLS 1.2 cipher suites and TLS 1.3).

Kraken Customer Platform Isolation

Kraken Customer Platform is single-tenant by-default, which allows our clients to benefit from isolated network virtualisation and a dedicated set of security controls limiting the risk of threat proliferation. It also enables us to feed Kraken Customer Platform logs directly into client Security Information and Event Management (“SIEM”) tooling if needed.

Automated Patching

Kraken’s continuous deployment model allows us to deploy over 100 times a day, which means we can quickly deploy patches to client environments to keep packages up-to-date.

Automation and Standardisation as an Enabler

In order to reach the scale needed to support Kraken’s mission to create a smarter, greener energy network, we align our security tooling and operational approach with how we build our platform. We deploy infrastructure as code, including security controls and configurations for everything from web application firewalls to monitoring technologies. We deploy centralised monitoring throughout our infrastructure (endpoints and cloud container hosts) for containment and rapid response to potential Indicators of Compromise (IOCs) as and when necessary.

Compliance and Certifications

Kraken’s Customer and Kraken Flex products maintain SOC 1® Type 2 and SOC 2® Type 2 attestations with reports available for our clients’ (and prospective clients’) assurance purposes. These reports are published on a twice-annual basis to enable our clients with various reporting schedules to meet their necessary assurance needs.

Kraken holds ISO/IEC 27001:2022 certification and uses ISO27001 as the basis for our Information Security Management System. Our set of organisational policies and standards has been developed and maintained with ISO27001 in mind.

Certifications

• ISO/IEC 27001:2022 - Our Information Security Management System (ISMS) certification demonstrates our commitment to international best practices in security management

• SOC 1® Type 2 and SOC 2® Type 2 attestations - Published twice annually to provide comprehensive assurance of our controls effectiveness across Security, Availability, and Confidentiality

Preventative Security Controls

• AWS infrastructure security with isolated network virtualisation and dedicated client environments for Kraken Customer Platform

• Secure Software Development Lifecycle integrated into CI/CD workflow with automated security testing and vulnerability analysis before, during, and after deployment

• Code analysis e.g. Static Application Security Testing and Software Composition Analysis as part of every build

• Continuous deployment model enabling >100 deployments daily with automated security checks, regular updates and patching

Data Measures

Kraken implements data protection measures including:

• AES-256 encryption of client’s data at rest, in Kraken’s databases and for any other data stored (e.g. in S3 buckets)

• Mandatory TLS 1.2+ encryption of client’s data in transit across our network

• Single-tenant architecture ensuring data segregation between clients

• Role-based data access control with regular privileged access permission audits

Authentication & Access Control

Our authentication framework provides:

• OAuth/OpenID Connect-based secure token authentication with JWT validation

• Multi-factor authentication support across Kraken access points Permission controls with customisable roles and access levels

• Integration with client identity providers (“IdPs”) supporting open authorisation (“OAuth”) /Security Assertion Markup Language (“SAML”) for Kraken Customer Platform

Security Operations

Our security operations include:

• Continuous security monitoring 

• Threat detection with leading security products and automation

• Regular security assessments

• Incident response procedures and a dedicated security operations team

• Disaster recovery capabilities

DATA PROTECTION

Kraken takes the protection of your data extremely seriously. We understand the importance of safeguarding your personal information and are committed to maintaining the highest standards of data security and privacy. 

We implement data protection frameworks and minimisation principles, limit personal data processing to essential identifiers and implement redaction for sensitive information before any third-party processing where appropriate.

At Kraken, compliance with applicable data protection laws and regulations is of paramount importance—not only to meet legal requirements but also to provide for additional protection and security of our clients' and their end-customers' personal information. Our clients may choose to deploy Kraken services from any region supported by Kraken or, where applicable, a collection of regions. Kraken will not relocate a client’s workspace from the selected region or geography without the client’s prior consent. 

We align with General Data Protection Regulation (GDPR) and take this as the standard across the business. We also include an additional layer of compliance by factoring in other applicable modern data protection laws, such as the California Consumer Privacy Act (CCPA), where required and appropriate. We continuously review and update our data protection policies and standards to rigorously align with data and privacy laws in the territories we operate.

Kraken does not sell client data or use it for advertising purposes. 

Privacy Notice

Kraken’s Privacy Notice can be found here: https://kraken.tech/privacy-notice

Cookies Notice

Kraken’s Cookies Notice can be found here: https://kraken.tech/cookies-notice

Data Processing Agreement

Kraken’s current Data Processing Agreement can be found here: https://kraken.tech/DPA

For Data Processing Agreements entered into on or before March 1, 2025, please contact us at privacy@kraken.tech. 

Subprocessors

Kraken’s current subprocessor list (and the ability to subscribe to subprocessor changes notification) can be found here: https://kraken.tech/subprocessors. The list of subprocessors may vary depending on the specific product or service selected, as well as the contractual agreements in place with our clients. Kraken reserves the right to update this list periodically.

Kraken and its affiliates engage third-party subprocessors to help us provide services to our clients. A subprocessor is a third-party processor engaged by Kraken or in some cases, a Kraken affiliate, who receives data from Kraken and processes personal data on behalf of our clients.The location of a subprocessor may vary depending on the location of our client.

As a condition for allowing a subprocessor to process personal data, Kraken and its affiliates (as applicable) will enter into a written agreement with each subprocessor. This agreement will include data protection obligations that are at least as stringent as Kraken’s own technical and organizational measures to safeguard client personal data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access.

Data Protection Officer

Kraken has formally appointed a Data Protection Officer (“DPO”). To reach our DPO, please contact dpo@kraken.tech

Employee Training and Compliance

We maintain security and privacy standards through employee training and verification processes.

Training completion and verification are prerequisites for system access, confirming employees understand their responsibilities in maintaining Kraken's security and privacy standards.

Examples of our training, controls and verification are as follows:

Security and Privacy Training

• Employees must complete mandatory security awareness training

• Training covers essential topics including:

  • Data protection principles and GDPR compliance

  • Information classification and handling

  • Incident response procedures

  • Security best practices and acceptable use policies

• Refresher training is required annually for continued awareness of security and privacy requirements

• Additional role-specific security training is provided based on job function and access levels

Access Control and Authentication

• Every employee is assigned unique credentials for accessing Kraken systems and applications

• Multi-factor authentication is mandatory for system access, whether working remotely or in office

• Access rights are granted based on role requirements and privileged access is regularly reviewed

• Strict password policies and security controls are enforced across our products, platforms and tools 

Training Verification

Completion of security and privacy training is tracked and documented

Training materials are regularly updated to reflect current threats and compliance requirements

Regular audits maintain ongoing compliance with training requirements

Personal Data Breach 

Our policies and procedures are established to notify clients about personal data breaches in accordance with our contractual obligations set out in our Data Processing Agreement and applicable laws.

We prioritise the security and privacy of personal data. Our approach to handling personal data breaches is structured to implement swift and effective action, outlined below:

• Activate response procedure

• Involve Legal, Privacy and Security teams

• Perform breach assessment and reinforce containment

• Assess risk to data subjects and notify clients and regulators (as necessary) 

• Perform post-incident review and record management 

• Update security measures (as necessary)

Data Role of Kraken 

Kraken acts as a data processor when providing services to its clients. In this role, Kraken processes personal data on behalf of its clients, who are the data controllers. The data processing activities are carried out in accordance with the instructions provided by Kraken’s clients and applicable data protection laws.

As a data processor, we:

• Process data  according to our clients' instructions and purposes;

• Cannot dictate or choose the lawful basis for processing - this is the client's; responsibility;

• Must follow client’s instructions for data processing, including retention periods and data subject rights requests; and

• Maintain comprehensive records of processing activities.

We take our responsibilities as a data processor seriously. We are committed to the highest standards of data protection and privacy across our products and services. 

Transfer Impact Assessments

As a data processor handling personal data across multiple territories, we conduct Transfer Impact Assessments (TIAs) to implement secure and compliant data transfers.

For extracts or copies of our TIAs (where appropriate), please contact privacy@kraken.tech

COMPLIANCE FRAMEWORK

Our security and compliance policies and standards are developed and maintained in alignment with international best practices and regulatory requirements. Regular audits are conducted for continued compliance with our commitments.

Client Requests 

We understand the importance of transparency in security assurance. Clients may request access to our security audit reports and certifications through their account representative. Available documentation includes:

• Latest SOC 1 Type II and SOC 2 Type II reports and Bridging letters (where necessary)

• Kraken’s ISO 27001 certificate and statement of applicability

Executive summaries of penetration test results

To request copies of our security audit reports or certifications, please contact your KrakenTech account representative. 

Prospect Requests 

You can request access to the documents in this Trust Centre by contacting your Kraken Sales Representative. Access will be granted once we confirm a valid Non-Disclosure Agreement (NDA) is in place.