Required Roles: N/A
Required Permissions: N/A
Kivo takes data privacy, system integrity, and access security very seriously. Our controls are designed and operated within a formal Quality Management System aligned with ISO 9001 and industry best practices (including GAMP 5 and 21 CFR Part 11 / EU Annex 11), and are further supported by our SOC 2 Type 2–based security program. In addition to our platform-wide controls, the following security options can be enabled and configured on a per-organization basis to align Kivo with your internal security and compliance requirements:
Index
Password Policies
Kivo Security Policies
Default Password Format Requirements
The following password settings are enforced by default for all Kivo users:
No more than 2 identical characters in a row
Special characters are required (e.g.,
!@#$%^&*)Password must contain at least one lowercase letter (
a–z)Password must contain at least one uppercase letter (
A–Z)Password must contain at least one number (
0–9)Password must be at least 8 characters in length
Additional Password Requirements
In addition to the default format requirements, Kivo enforces several controls to prevent weak or reused passwords:
Password history: A new password cannot have been used in the past 10 passwords.
Common password check: Passwords are compared against a dictionary of the 10,000 most common passwords. Any matches are disallowed.
Personal data restriction: Passwords cannot contain personal data such as:
Your name
Your username
Portions of your email address
Other easily identifiable personal information
Optional Organization-Level Security Settings
The following security options can be enabled and configured on a per-organization basis to align Kivo with your internal security and compliance requirements:
Required password rotation
Enforce a policy that requires users to change their password every XX days (the exact value is configurable per organization). Regular password rotation helps reduce the risk of compromised credentials being used over an extended period and supports many standard security and compliance frameworks.Multi-Factor Authentication (MFA)
Add an additional layer of protection to user accounts by requiring a second factor at login. Even if a password is exposed, MFA significantly reduces the likelihood of unauthorized access.
For setup details and supported methods, see Multi-Factor Authentication (MFA) with Kivo for more informationSingle Sign-On (SSO)
Integrate Kivo with your organization’s identity provider so users can sign in using their existing corporate credentials. SSO centralizes authentication and simplifies user lifecycle management (provisioning, deprovisioning, and access reviews). Kivo supports the following SSO options:SAML
OpenID
Google
Azure AD
ADFS
Active Directory / LDAP
Ping Federate
Session Protections
Kivo enforces session controls to reduce the risk of unauthorized access to active accounts:
App timeout: By default, sessions time out after 15 minutes of inactivity. This timeout is configurable per organization. Please reach out to [email protected] if you'd like to adjust your timeout.
Token expiration: Tokens expire after each session, requiring users to log in again to access Kivo on each visit.
Attack Protection Measures & Related Resources
Kivo includes built-in protections against common authentication-related attacks:
Suspicious IP detection: Kivo detects suspicious IPs and throttles login and password reset attempts.
Brute-force protection: Kivo detects brute-force attempts and locks accounts after 5 failed login attempts.
Kivo Security Framework
Kivo’s security and data protection practices are embedded within our ISO 9001–aligned Quality Management System (QMS). The QMS governs how we design, develop, operate, and support the Kivo platform, with specific focus on:
Maintaining a secure environment for customer documentation and processes.
Meeting applicable regulatory and statutory requirements (including 21 CFR Part 11 / EU Annex 11).
Aligning with industry best practices such as GAMP 5 and ISO 9001.
Supporting our SOC 2 Type 2 commitments around security, availability, processing integrity, confidentiality, and privacy.
Our leadership team and Quality Assurance (QA) Department share responsibility for implementing and continuously improving this framework, ensuring that information security and data protection remain a core part of how Kivo operates.
Customer Data Protection and Privacy Controls
Kivo is committed to protecting customer data throughout its lifecycle. Customer information is treated as critical data within our QMS and is protected by documented policies and procedures, including:
Information Security Program: Defined in our Information Security Policy, which requires that information assets are identified, recorded, and afforded appropriate protection at all times.
Data Privacy and Protections: Customer data used during professional services and support activities is handled according to our Data Privacy and Protections procedure, which governs how data is accessed, used, and retained.
Documented Quality Records: Validation records, logs, and related quality records are stored in controlled systems to prevent damage, deterioration, or loss, with access restricted to authorized personnel only.
These controls work in tandem with Kivo’s authentication, authorization, and logging capabilities to help customers meet their own internal and regulatory requirements for data protection and privacy.
Vendor Security and Business Continuity
Because Kivo relies on cloud infrastructure and other third-party services, vendor security and resilience are managed as part of our formal QMS.
Vendor Management and Qualification: All critical vendors are qualified, risk-assessed, and periodically re-evaluated under our Vendor Management and Qualification Program (SOP-QA-104). Only approved vendors are used for production services.
Risk Management: Security and quality risks associated with system changes, incidents, and deviations are evaluated using a documented Quality Risk Management process (SOP-QA-108), ensuring that mitigation activities are appropriate to the level of risk.
Business Continuity and Disaster Recovery (BCP/DR): Kivo maintains a formal Business Continuity and Disaster Recovery plan (POL-CO-104) focused on technology-related processes and critical business activities. The plan is tested periodically and reviewed at least annually, with oversight from QA.
Together, these controls help ensure that Kivo can continue to protect customer data and maintain service availability, even in the event of vendor issues or broader disruptions.
Related Resources
For more information about Kivo’s broader security posture and certifications, refer to:
[Kivo > [Authentication & Security] > [Kivo Password and Security Policies]