Klikk Security Policy

The Klikk security policy is an intent to be compliant with standards, requirements, and recommendations from the following third parties:

PCI – Payment Card Industry standard
SANS – System Administration, Networking and Security institute
Norsis – Norsk senter for informasjonssikring
NSM – Nasjonal sikkerhetsmyndighet
IETF – Internet Engineering Task Force
RFC – Request For Comments
ITU – International Telecommunication Union
ISO – International Organization for Standardization

and general best practices.

Requirements for all

Security in systems and services must continuously be developed and maintained. Automated maintenance cannot be executed by any lower security zone.
All persons must have their own account. Shared password between persons are not allowed.
Passwords, any form of software token or PKI capable of giving superuser access to any other system or service are not to be permanently stored anywhere. Not even encrypted. Shared secrets for two-step token generation are allowed on employee devices in encrypted form, but only on non-jailbroken mobile devices (phone/tablet).
Only a few people as possible should have access.
Only employees can have permanent superuser access.
Communication between other security zones must be encrypted.
Any login allowing superuser access must as a minimum require 2-step authentication and auditing.
Single-Sign-On, SSO, is not allowed between different services. This means it is not permitted to login with two-step authentication on the first service, and then to another service without requiring re-authentication.
Test of security systems and procedures must be performed frequently.
All systems and services must be continuously monitored
Machine-machine authentication between different services that allow superuser access is not permitted. This includes monitoring and maintenance systems.
Direct communication to a third party network in a high security zone is not permitted and must go through a protected service in a lower zone.
VPN/proxy-services that allow access into a high security zone is not allowed unless every VPN user have its unique IP-address with a restrictive firewall in front.
The VPN-service must fulfill the same security requirements and security zone as the system or service it protects.

Requirements for applications

An application is not allowed to have access to processes of other services.
An application is not allowed to have access to files or data of other services.
An application is not allowed to have superuser access to the operating system or CPU ring 0,1 or 2.

Virtual servers and the hypervisor

No VM is allowed by the network switch to use other mac-addresses or IP-addresses than their own.
Only employees shall be granted superuser access, even temporarily.
It is not allowed to give the same VM access to different security zones except of dedicated firewall instances.
No VM is allowed on process level to have access to any other VM.

Physical network switches

The switch must require MAC-authentication towards the server port or be configured with a manuel MAC-filter.

Requirements for routers / firewalls

VMs and servers shall not be allowed to use TCP/IP ports that are not in use.

Requirements for storage systems

The storage system must be behind a closed network only accessible to the required applications. Management are only allowed for machines in the same security zone or higher.

Requirements for physical security

Equipment shall be locked and have a access control.
No third parties shall have physical access to the equipment.

Cookie Name	Agent	Purpose	Length
smuuid	Sales Manago	Sets a unique visitor ID	12 months
smclient	Sales Manago	Used to track interactions of known users	10 years

Cookie Name	Agent	Purpose	Length
_fw_crm_v	Freshchat	Used to track Visitor/User identity and chat sessions performed by the User	1 year

Cookie Name	Agent	Purpose	Length
zenMode	Matomo Analytics	Check if user has Zen Mode enabled	Session
MATOMO_SESSID	Matomo Analytics	Prevent CSRF security issues	Session
_pk_testcookie	Matomo Analytics	Check if the visitor has cookies enabled	Session
_pk_cvar	Matomo Analytics	Short lived cookie used to temporary store data for the visit.	30 min
_pk_ref	Matomo Analytics	To store referrer-id for analytical purposes.	6 months
_pk_id	Matomo Analytics	Used to store details about the user such as the unique visitor ID.	13 months
_pk_ses	Matomo Analytics	Short lived cookie used to temporary store data for the visit.	30 min
mtm_consent	Matomo Analytics	Enable Matomo Analytics Consent	Session

Cookie Name	Agent	Purpose	Length
bcookie	LinkedIn	Browser-ID cookie that uniquely identifies devices that access LinkedIn to detect abuse on the platform.	2 years
bscookie	LinkedIn	Used to save the state of 2FA for a logged in user	1 year
UserMatchHistory	LinkedIn	Synchronizing LinkedIn ad IDs	6 months
lidc	LinkedIn	To optimize data center selection	1 day

Cookie Name	Agent	Purpose	Length
_fbp	Facebook	To store and track visitors across websites for remarketing purposes.	3 months
c_user	Facebook	Cookie related to Facebook Pixel functionality	3 months
datr	Facebook	To analyse and prevent suspicious activity.	2 years
fr	Facebook	To improve relevance of ads.	3 months
presence	Facebook	Cookie related to Facebook Pixel functionality.	Session
sb	Facebook	Cookie related to Facebook Pixel functionality.	2 years
wd	Facebook	Cookie related to Facebook Pixel functionality.	1 week
xs	Facebook	Cookie related to Facebook Pixel functionality.	3 months

Cookie Name	Agent	Purpose	Length
CONSENT	Google	Store visitors preferences and personalization of ads.	Persistent
NID	Google	Store visitor preferences and personalization of ads on Google. Based on search and interaction.	6 months
OTZ	Google	Link website visiitors to other devices, previously logged in with Google. Tailored advertisment based on device.	1 month
SIDCC	Google	For security and fraud prevention purposes.	3 months
ANID	Google	List ads on Google Sites based of search.	Persistent
SAPISID	Google	Collection of visitor information for videos hosted by YouTube.	Persistent
SSID	Google	Collection of visitor information for videos hosted by YouTube with Google Maps.	Persistent
HSID	Google	For security and fraud prevention purposes.	2 years
APISID	Google	Personalization of ads based on recent searches and interactions.	2 years
SID	Google	For security and fraud prevention purposes.	2 years
__Secure-3PAPISID	Google	Collect information to build a profile based on interest. Show relevant ads through retargeting.	2 years
__Secure-3PSID	Google	Collect information to build a profile based on interest. Show relevant ads through retargeting.	2 years
__Secure-APISID	Google	Collect information to build a profile based on interest. Show relevant ads through retargeting.	8 months
__Secure-HSID	Google	To secure signed and encrypted data digitally signed with unique Google ID. Store most recent login, identify visitors, prevent fraudulent use. Provide targeting to display relevant and personalized ads.	8 months
__Secure-SSID	Google	Store information about how the user uses the website. Ads that might have been seen by the user before entering the site. Customize ads on Google domains.	8 months
1P_JAR	Google	Store recent searches, previous interactions, customization of ads.	1 week
SEARCH_SAMESITE	Google	Prevent risk of CSRF.	5 months
IDE	Google / DoubleClick	Report user interaction after clicking ads, measure efficiency, target ads.	1 year
RUL	Google / DoubleClick	Determine if website advertisment has been displayed properly.	1 year
DSID	Google	Used to identify a signed-in user on non-Google sites and to remember whether the user has agreed to ad personalization.	2 weeks
DV	Google	Used to save user preferences, preferred language, number of search results, check SafeSearch settings.	7 minutes

Cookie Name

Agent

Purpose

Length

CONSENT

Google

Store visitors preferences and personalization of ads.

Persistent

NID

Google

Store visitor preferences and personalization of ads on Google. Based on search and interaction.

6 months

OTZ

Google

Link website visiitors to other devices, previously logged in with Google. Tailored advertisment based on device.

1 month

SIDCC

Google

For security and fraud prevention purposes.

3 months

ANID

Google

List ads on Google Sites based of search.

Persistent

SAPISID

Google

Collection of visitor information for videos hosted by YouTube.

Persistent

SSID

Google

Collection of visitor information for videos hosted by YouTube with Google Maps.

Persistent

HSID

Google

For security and fraud prevention purposes.

2 years

APISID

Google

Personalization of ads based on recent searches and interactions.

2 years

SID

Google

For security and fraud prevention purposes.

2 years

__Secure-3PAPISID

Google

Collect information to build a profile based on interest. Show relevant ads through retargeting.

2 years

__Secure-3PSID

Google

Collect information to build a profile based on interest. Show relevant ads through retargeting.

2 years

__Secure-APISID

Google

Collect information to build a profile based on interest. Show relevant ads through retargeting.

8 months

__Secure-HSID

Google

To secure signed and encrypted data digitally signed with unique Google ID. Store most recent login, identify visitors, prevent fraudulent use. Provide targeting to display relevant and personalized ads.

8 months

__Secure-SSID

Google

Store information about how the user uses the website. Ads that might have been seen by the user before entering the site. Customize ads on Google domains.

8 months

1P_JAR

Google

Store recent searches, previous interactions, customization of ads.

1 week

SEARCH_SAMESITE

Google

Prevent risk of CSRF.

5 months

IDE

Google / DoubleClick

Report user interaction after clicking ads, measure efficiency, target ads.

1 year

RUL

Google / DoubleClick

Determine if website advertisment has been displayed properly.

1 year

DSID

Google

Used to identify a signed-in user on non-Google sites and to remember whether the user has agreed to ad personalization.

2 weeks

Google

Used to save user preferences, preferred language, number of search results, check SafeSearch settings.

7 minutes

Klikk Security Policy

We care about your privacy

Cookie preferences

Functional

Sales Manago

FreshChat

Statistical

Matomo Analytics

Marketing

LinkedIn

Facebook

Google Ads Remarketing