Security

Kuroco is built to be cloud-native and designed with security in mind.

API

• Fully encrypted HTTPS communication
• TLS certificate
• Custom domain settings
• Web Application Firewall (WAF)
• CDN
• DDoS protection
• Access control through fixed tokens, dynamic tokens, and/or cookies
• Flexible CORS configuration
• Strict permissions control via user group settings
• IP address access restrictions
• Access logs (audit logs)
• Application logs
• External login integration via SAML/OAuth

Management screen

• Fully encrypted HTTPS communication
• TLS certificate
• Web Application Firewall (WAF)
• DDoS protection
• Access restriction by ID & password
• Strict permissions control via user group settings
• IP address access restrictions
• Encrypted token storage function
• Access logs (audit logs)
• Application logs
• Configuration of two-factor authentication by SMS and authentication apps
• External login integration via SAML/OAuth

KurocoFront

• Fully encrypted HTTPS communication
• TLS certificate
• Custom domain settings
• CDN
• DDoS protection
• BASIC authorization
• IP address access restrictions
• Access logs

KurocoFiles

• Fully encrypted HTTPS communication
• TLS certificate
• CDN
• DDoS protection
• Strict permissions control via user group settings
• IP address access restrictions
• Access logs

※In addition to KurocoFiles, it is possible to restrict access to files based on user authentication using Google Cloud Storage and Amazon S3.

Data centre

You can choose which data centre to use when you start using the service.

• Google Cloud Platform Tokyo Region
• Google Cloud Platform EU Region
• Google Cloud Platform US Region

Managing company (Diverta Inc.)

• ISMS (ISO/IEC 27001:2022 / JIS Q 27001:2023) registration certificate
• ISMS Cloud (ISO/IEC27017:2015/JISQ27017:2016) registration certificate
• P-Mark registration certificate

Vulnerability assessment

• Vulnerability scan for containers at every container update (almost daily)
• Implementation of vulnerability assessment using VADDY (for the standard APIs of the respresentative site)
• Vulnerability diagnosis of customized API at customer sites through automatic integration with VADDY (*Automatic integration is available upon request via the management screen)
• Free customer support related to Kuroco-derived vulnerabilities identified in individual vulnerability assessments

Checklist

The following security checklist is available and can be provided for Kuroco services. If you wish to receive them, please contact us via our support team.

• "Security Implementation Checklist" supervised by Information-technology Promotion Agency, Japan (IPA)
• "SLA Guidelines for SaaS (Kuroco version)" published by the Ministry of Economy, Trade and Industry (METI).

Security Evaluation Platform

• We can also respond to investigations on the third-party security assessment platform "Assured".(A separate contract with Assured is required.)
  For detailed investigation requests, please contact "Assured".
  • Security Evaluation: 95.2 / 100 (Top 5%) *The security measures in place are top-class for a development-related service.
  • How is the security evaluation score calculated?.

Documents

• Documents on infrastructure
• SLAs (Japanese only)

Related FAQs

• What vulnerability diagnostic and assessment services do you provide?
• Can you send me the findings from your vulnerability assessment?
• My site was diagnosed with a security vulnerability. What should I do?
• Can you audit my security checklist? (for clients based in Japan)