Your data security and privacy is important to us. We have dedicated security and privacy teams to ensure protection of your data is at the core of what we do.
Keelvar has a comprehensive security and privacy program based on ISO standards and is committed to continuing investment in these programs.
Keelvar is externally audited and certified to ISO/IEC 27001:2013 security standards for the development and delivery of our SaaS application.
Additionally Keelvar is certified in ISO/IEC 27701:2019 for privacy information management. This ensures Keelvar adheres to best in class data protection and privacy management helping to comply with GDPR, CCPA, and other data protection legislation.
Keelvar complies with the GDPR and completes internal and external auditing on our privacy program. Our SaaS application Data Processing Agreement and Privacy Notice provide details on the minimal amount of personal data processed by our SaaS application and also broader transparency on processing including organizational and technical measures in place.
Keelvar implements best practice security standards in a shared responsibility model with our Infrastructure as a Service partner Amazon AWS. Keelvar have deployed a defense in depth design in the Dubin, Ireland (eu-west-1) AWS data center ensuring data is secure from a user’s web browser all the way through processing and encrypted storage in our backend systems. AWS IaaS provides best in class infrastructure security composing hardware, software, networking, and facilities. The AWS compliance page lists the full list of security certifications their service complies with.
Keelvar uses a combination of AWS Virtual Private Clouds (VPCs), VPC subnets, Network Access Control Lists (Network ACLs), AWS Security Groups, and AWS DB Subnet Groups to provide logical network level isolation. This defense in depth design ensures separation between production and lower environments, and between the public internet and non-public infrastructure components.
All data stored in Keelvar infrastructure is encrypted. Application server and database volumes are encrypted with AES-256 where keys are stored in line with industry best practice.
The Keelvar SaaS application supports modern web browsers and encrypts all data transferred between the web browser and the RESTful API exposed by our backend systems. Requests from a browser over the public internet are via HTTPS, encrypted using TLS 1.2 with a certificate signed by GoDaddy CA.
Default authentication for a registered user is completed using an email address and password with strong complexity requirements and ensuring that common or vulnerable passwords cannot be used. Passwords are securely stored using a PBKDF2 algorithm with a SHA256 hash. A time-based token is returned to the web client to authenticate subsequent API calls.
In addition to default authentication, TOTP based multi-factor authentication is available for user accounts using any standards based authenticator application such as Google authenticator.
Keelvar supports customer SSO integrations using SAML 2.0 or OpenID Connect. Keelvar can integrate with Active Directory if it is configured to expose a public identity provider such as via Azure Active Directory.
Keelvar allows you to assign granular access to entities in Keelvar SaaS products with roles and permissions.
Keelvar receives security alerts from multiple sources for triage and actioning, including GitHub Dependabot alerts if a software dependency has a vulnerability. Patches are deployed based on the severity and risk of vulnerability, including with immediate effect for critical issues.
In addition to our regular security reviews, Keelvar partners with trusted third-party security companies to perform annual penetration tests across our product ecosystem.
Keelvar SaaS data is stored in high availability AWS services and backed up frequently. Databases run in a multiple availability zone configuration in our primary AWS datacenter. Point in time recovery is enabled and 30 days of nightly database snapshots are maintained. Data is synchronised to another datacenter to allow for failover should an issue arise with our primary datacenter.
Amazon AWS is a leading IaaS provider with best in class security controls. Under the shared responsibility model, Amazon ensures the physical security of their data centers and are certified to the highest of standards.
Keelvar uses Amazon GuardDuty for intelligent threat detection and continuous monitoring of any suspicious activity in our production systems. Suspicious behavior is automatically alerted to our DevSecOps team for investigation.
Keelvar has detailed monitoring and alerting for our application health and infrastructure. Our application API exposes a health check endpoint that performs verification of application critical systems down to the database level. The health check in addition to endpoints such as authentication are pinged every minute to ensure application health. AWS Cloudwatch alarms monitor server instance CPU, memory, disk space, and will alarm when specified thresholds are reached. Logs from application usage are securely stored for audit purposes.
Where any checks fail or monitoring thresholds are breached, Keelvar’s Development Operations team is immediately notified for investigation, triage and potential resolution.
Keelvar has an uptime SLA of 99.95%. Service issues and uptime can be monitored on our status page.
Keelvar has documented incident management procedures to ensure Keelvar appropriately responds to any suspected or known vulnerability or data breach. Keelvar will notify impacted customers as early as the issue is identified and continue to update as the issue is investigated, assessed, remediated, and closed with a final incident report.
Keelvar has a software development life cycle and secure coding policy that considers security during the change management process. Third party dependencies are security assessed and packages are retrieved from secure package managers. Code development occurs on a feature code branch and follows OWASP secure coding principles. A suite of automated security tests is run on each change request along with static code analysis. All code is manually reviewed before being approved for merging. A formal QA process is initiated in a segregated QA environment for each release candidate and only approved changes are deployed to production systems.
Keelvar has a content rich support portal and a Training Academy to ensure all users get trained and have resources to answer questions they may have. Our Customer Success team is on hand to support customers and users.