Security and Privacy at Keelvar

Your data security and privacy is important to us. We have dedicated security and privacy teams to ensure protection of your data is at the core of what we do.

Security & Privacy Program

Keelvar has a comprehensive security and privacy program based on ISO standards and is committed to continuing investment in these programs.

ISO/IEC 27001:2013

Keelvar is externally audited and certified to ISO/IEC 27001:2013 security standards for the development and delivery of our SaaS application.

Click
here
to view our certificate.

ISO/IEC 27701:2019

Additionally Keelvar is certified in ISO/IEC 27701:2019 for privacy information management. This ensures Keelvar adheres to best in class data protection and privacy management helping to comply with GDPR, CCPA, and other data protection legislation.

Click
here
to view our certificate.

GDPR

Keelvar complies with the GDPR and completes internal and external auditing on our privacy program. Our SaaS application Data Processing Agreement and Privacy Notice provide details on the minimal amount of personal data processed by our SaaS application and also broader transparency on processing including organizational and technical measures in place.

Infrastructure Security

Keelvar implements best practice security standards in a shared responsibility model with our Infrastructure as a Service partner Amazon AWS. Keelvar have deployed a defense in depth design in the Dubin, Ireland (eu-west-1) AWS data center ensuring data is secure from a user’s web browser all the way through processing and encrypted storage in our backend systems. AWS IaaS provides best in class infrastructure security composing hardware, software, networking, and facilities. The AWS compliance page lists the full list of security certifications their service complies with.

Network Security

Keelvar uses a combination of AWS Virtual Private Clouds (VPCs), VPC subnets, Network Access Control Lists (Network ACLs), AWS Security Groups, and AWS DB Subnet Groups to provide logical network level isolation. This defense in depth design ensures separation between  production and lower environments, and between the public internet and non-public infrastructure components. 

Storage Encryption

All data stored in Keelvar infrastructure is encrypted. Application server and database volumes are encrypted with AES-256 where keys are stored in line with industry best practice.

Application Security

Data Encryption

The Keelvar SaaS application supports modern web browsers and encrypts all data transferred between the web browser and the RESTful API exposed by our backend systems. Requests from a browser over the public internet are via HTTPS, encrypted using TLS 1.2 with a certificate signed by GoDaddy CA. 

Authentication

Default authentication for a registered user is completed using an email address and password with strong complexity requirements and ensuring that common or vulnerable passwords cannot be used. Passwords are securely stored using a PBKDF2 algorithm with a SHA256 hash. A time-based token is returned to the web client to authenticate subsequent API calls.

Multi-Factor Authentication

In addition to default authentication, TOTP based multi-factor authentication is available for user accounts using any standards based authenticator application such as Google authenticator. 

Single Sign On

Keelvar supports customer SSO integrations using SAML 2.0 or OpenID Connect. Keelvar can integrate with Active Directory if it is configured to expose a public identity provider such as via Azure Active Directory.

Role-based access control

Keelvar allows you to assign granular access to entities in Keelvar SaaS products with roles and permissions.

Vulnerability Management

Keelvar receives security alerts from multiple sources for triage and actioning, including GitHub Dependabot alerts if a software dependency has a vulnerability. Patches are deployed based on the severity and risk of vulnerability, including with immediate effect for critical issues.

Penetration Testing

In addition to our regular security reviews, Keelvar partners with trusted third-party security companies to perform annual penetration tests across our product ecosystem.

Backup and Disaster Recovery

Keelvar SaaS data is stored in high availability AWS services and backed up frequently. Databases run in a multiple availability zone configuration in our primary AWS datacenter. Point in time recovery is enabled and 30 days of nightly database snapshots are maintained. Data is synchronised to another datacenter to allow for failover should an issue arise with our primary datacenter.

Physical Security

Amazon AWS is a leading IaaS provider with best in class security controls. Under the shared responsibility model, Amazon ensures the physical security of their data centers and are certified to the highest of standards.

Intrusion Detection

Keelvar uses Amazon GuardDuty for intelligent threat detection and continuous monitoring of any suspicious activity in our production systems. Suspicious behavior is automatically alerted to our DevSecOps team for investigation.

Reliability

Monitoring

Keelvar has detailed monitoring and alerting for our application health and infrastructure. Our application API exposes a health check endpoint that performs verification of application critical systems down to the database level. The health check in addition to endpoints such as authentication are pinged every minute to ensure application health. AWS Cloudwatch alarms monitor server instance CPU, memory, disk space, and will alarm when specified thresholds are reached. Logs from application usage are securely stored for audit purposes. 

Where any checks fail or monitoring thresholds are breached, Keelvar’s Development Operations team is immediately notified for investigation, triage and potential resolution.

Uptime SLA

Keelvar has an uptime SLA of 99.95%. Service issues and uptime can be monitored on our status page.

Incident Management

Keelvar has documented incident management procedures to ensure Keelvar appropriately responds to any suspected or known vulnerability or data breach. Keelvar will notify impacted customers as early as the issue is identified and continue to update as the issue is investigated, assessed, remediated, and closed with a final incident report.

Software Development

Keelvar has a software development life cycle and secure coding policy that considers security during the change management process. Third party dependencies are security assessed and packages are retrieved from secure package managers. Code development occurs on a feature code branch and follows OWASP secure coding principles. A suite of automated security tests is run on each change request along with static code analysis. All code is manually reviewed before being approved for merging. A formal QA process is initiated in a segregated QA environment for each release candidate and only approved changes are deployed to production systems.

Support

Keelvar has a content rich support portal and a Training Academy to ensure all users get trained and have resources to answer questions they may have. Our Customer Success team is on hand to support customers and users.

Reach out to Keelvar Security & Privacy

Our security and privacy teams can be contacted at privacy@keelvar.com.