Kelmar understands the importance of confidentiality and takes extensive security measures to ensure all information, documents, and data received or created during the regular course of business are maintained in a secure environment and are treated with the utmost confidentiality.
Federal and state law, industry best practices, and legal and ethical obligations all require that Kelmar treat confidential and private information stored, created, collected, maintained, and/or transmitted by the Company during the course of providing services to clients with the utmost care. To that end, Kelmar has adopted risk management practices and internal controls to help our customers meet their own compliance standards.
Service Quality Controls
Kelmar has implemented numerous controls throughout the organization to ensure the security, reliability, and overall quality of its unclaimed property services. Kelmar routinely evaluates its controls and implements enhanced measures where necessary to address industry developments, process changes, and advancements in technology. These undertakings ensure that all Kelmar client services are performed consistently in a high quality, professional, and competent manner, in accordance with applicable federal and state laws, regulatory agency guidance, and industry best practices.
Confidentiality and Non-Disclosure Agreements
Except as expressly permitted, Kelmar does not disclose any information obtained on behalf of a client and all such information is treated as confidential. As a condition of employment, Kelmar requires that each of its employees execute a form confidentiality and non-disclosure agreement. All Kelmar vendors performing services in connection with any of its contracts and/or with access to records or client property are also required to execute confidentiality agreements wherein they agree to treat all information or records in the course of performing work for a client as confidential.
Written Information Security Program
Kelmar expends significant resources to maintain the security and confidentiality of all records and findings created, obtained, and/or stored in connection with any services rendered. The Company has implemented a comprehensive Written Information Security Program (“WISP”), which includes stringent administrative, procedural, technical, and physical safeguards for the protection of confidential information (including any protected personal information).
Utilizing a variety of security tools and methods, Kelmar restricts access to information systems and data on a least-privilege security model. To mitigate risk of unintentional or intentional disclosure or inappropriate or unauthorized access to confidential data, Kelmar employs strong encryption methodologies for data in transit and data at rest on all systems. Additionally, Kelmar maintains robust conditional access policies and mandatory two-factor authentication for all of its employees.
Secure Data Transmission
Kelmar has implemented secure encrypted email systems, with Transport Layer Security enforced by default on all communications, and cloud-based Cisco Email Security systems for an additional layer of identity management and encryption when staff transmit confidential information. Kelmar also utilizes an email moderator system with designated approvals prior to the release of external exchanges. The Company also provides access for its clients and trading partners to a private, Secure File Transfer platform which is configured to the FIPS 140-2 standard.
Data Center Compliance
All Company systems are implemented in a fully redundant approach, with all system elements configured to be fault tolerant. The Company’s private cloud is supported by multiple, carrier-diverse internet connections, extended backup power, and comprehensive facility security. All systems are monitored 24 hours a day, seven days a week for uptime, disk space utilization, processor utilization, and memory utilization. Individual applications are also monitored, and Kelmar support team members are notified immediately of any failures or anomalous system usage. The Company provides for comprehensive backup, and a fail-over data center service in case of catastrophe.
Business Continuity Plan
Disasters can strike without notice, at any time. Consequently, Kelmar recognizes the importance of maintaining sufficient procedures and redundancy capabilities to assure continued processing in an emergency and the accurate back-up and full recovery of all data storage systems. These procedures are outlined in Kelmar’s confidential Business Continuity Plan (“BCP”). Having a BCP provides Kelmar with a comprehensive plan for recovering critical business functions and data in a timely fashion with minimal interruption in the event of a disaster.
Information Security Best Practices
Kelmar employs an enterprise-grade information security management program and has the credentials to prove it. The Company has adopted information security industry best practices in the development and implementation of its information security program. The program is based upon the National Institute of Standards and Technology (NIST) standards in conjunction with ISO/IEC 27001/2 security controls and includes the use of strong encryption standards, next-generation firewalls, intrusion detection/prevention systems, web content filtering rules, routine scheduled vulnerability scanning and secure file transfer. Kelmar routinely tests and monitors its information security controls to ensure compliance and eliminate risks.
Independent Annual Reviews
Committed to ensuring a consistent, reliable, and independent audit process, Kelmar also undergoes an annual ISO 27001:2013 compliance assessment and has achieved ISO 27001:2013 certification. The certification is conducted by an independent examiner to ensure the Company's information security and records management practices and procedures meet and/or exceed ISO 27001:2013 standards. Each year, Kelmar undergoes comprehensive audits of KAPS® to obtain SOC 2 Type 2 reports, describing the controls related to the security, availability, and confidentiality within the unclaimed property system. Kelmar’s compliance services are reviewed annually to ensure examination controls are SOC 1 Type 2 compliant. In addition, Kelmar works with industry-leading cybersecurity providers to perform routine tests and comprehensive assessments of its systems. With a focus on protecting data and information stored on its private cloud, at all physical locations, and within the Company’s data centers and networks, Kelmar’s information systems, including the security environment where the data is stored, are likewise tested annually and are SOC 2 Type 2 compliant.