Client Portal Security
Karbon takes our responsibility for our clients, and their clients’ data security seriously. The Karbon Client Portal is a Karbon platform feature that allows trusted advisors to engage with their clients and share information in a manner that is more secure than email.
This document outlines our security approach to Karbon’s Client Portal Magic Links and client login.
The Client Portal is protected by many of the same safeguards that protect access to the Karbon platform.
All client request messages are configured with transport layer security (TLS) encryption protocol (an advanced form of secure socket layer - SSL encryption) to encrypt client request messages and submitted client documentation or artifact during data transmission (i.e., data travel) activities over the internet.
This encryption transfers all messages and artifacts within the Client Portal over the internet in ciphertext, reducing the likelihood of your data being compromised during your client’s use of the Client Portal. Encrypting the Client Portal with TLS means that your client’s use of the Client Portal is secure and our client’s activities and data is encrypted and safely shared.
Magic Links, provide a convenient and secure method for a party to verify their Identity. When a client receives a Client Request from Karbon, it will include a unique Magic Link to access the request from the body of the email.
Magic Links can only be used once by a single device. A magic link can only be used a single time. Once it has been used, the device that received the email is considered a trusted device. Any attempt to reuse the link on any other device will be declined. If a client wants to access the portal on a second device they can request that a new link be generated and sent to them.
Magic Links expire after 30 day. Regardless of whether a link has been activated or not, its access to the portal will expire after 30 days of being generated. At this time the client will be prompted to generate a new link.
Magic Links are only valid for the lifetime of the work item. Once a work item associated with a magic link has been marked complete, the magic link is no longer available for use.
Magic Links are unguessable. Unlike a PIN, which could be guessed, a Magic Link cannot be guessed ahead of time.
Only one Magic Link can be valid at a time. If you resend a Client Request to a new email address the link in the initial request will immediately become unusable.
Magic Links cannot be used to download sensitive documents. Documents uploaded by clients via client requests are not able to be downloaded via Magic Links. Documents uploaded by clients are only accessible inside the Karbon platform.
Full Access via Login
If your clients require access to all open and completed requests (including comments and documents), they can log in to the Client Portal, which is a password-protected web application. This differs from a magic link, which only provides access to the request details for a specific work item.
The Client Portal requires that your client submit a username and password prior to gaining access to the portal. Submission of a username and password requires that the Client Portal validates the identity of the user prior to gaining access to all of the client requests sent to the client.
Only your clients can access your Client Portal. To access your portal, the email address needs to be associated with a contact in your Karbon account. Once logged in, your client will only see the client requests sent to the email address they logged in with.
Security Best Practice
Firms using the Karbon platform to send magic links and request items from their clients are responsible for securing 1. their use of the Karbon platform, and 2. their associated email provider utilized to communicate via Karbon.
The Karbon platform authenticates based on the credentials of the firm's email provider, selected during the Karbon account registration process; therefore, client requests and magic link communications are sent via an authenticated connection to the selected email provider.
We suggest that you keep the security of emails ‘top of your mind’ when using the Karbon platform and its features. As the vulnerability of your emails lives in your email provider, it is your responsibility to implement appropriate security safeguards at this level. Please ensure there is a process in place for your firm's email security. We’ve outlined some best practices for securing your emails:
Strong Complex Password Credentials - A strong password is one you can’t guess or crack using a brute force attack in a reasonable amount of time. They consist of a combination of uppercase and lowercase letters, numbers, and special symbols, such as punctuation. Enforcing these for all personnel can increase your security. The most secure way to protect your password is by using a password manager.
Multi-factor Authentication (MFA) - Adds an additional layer of security. This means that anyone trying to log in to your account requires two or more verification factors to gain access. Rather than just asking for a username and password, MFA requires one or more additional verification factors, such as an SMS code, which decreases the likelihood of a cyber attack.
Security Awareness Training - Firms are vulnerable because of one key factor: human error. 98% of Cyber Attacks in 2021 involved some form of social engineering, so it’s important that all personnel within your firm understand the basics of information security and asset protection.
We encourage you to deliver security awareness training on best practices for password protection, phishing attempts, and your firm’s practices for information security.
Karbon Platform Security
All information stored within the Karbon platform, including Client Request data, is encrypted in transit and at-rest using enterprise-grade highly scalable cloud servers and databases.
Karbon has implemented many additional security practices to safeguard data processed by the Karbon platform. These security practices are evaluated during periodic internal audit activities and external security audits, including the SOC 2 Type 2 examination. A copy of our general use SOC 3 report covering Security, Availability, Confidentiality, and Privacy service commitments for our Karbon web application can be requested here.
Karbon customers wanting a copy of our more comprehensive SOC 2 Type 2 report should contact our customer support team. If you have any additional questions about the security of the Karbon Client Portal, please contact our customer support team at firstname.lastname@example.org