Your data security and privacy is important to us. We have dedicated security and privacy teams to ensure protection of your data is at the core of what we do.
Keelvar is externally audited and certified to ISO/IEC 27001:2022 security standard including controls from ISO/IEC 27002:2022. Keelvar’s Information Security Management System includes the scope of the development and delivery of Keelvar’s SaaS sourcing products.
Click here to view our ISO/IEC 27001:2022 certificate.
Additionally Keelvar is certified in ISO/IEC 27701:2019 for privacy information management. This ensures Keelvar adheres to best in class data protection and privacy management helping to comply with GDPR, CCPA, and other data protection legislation.
Click here to view our ISO/IEC 27701:2019 certificate.
Keelvar has a ISO 27701:2019 certified privacy management system in place with controls ensuring in scope data protection legislation including GDPR and CCPA is adhered to. Our SaaS application Data Processing Agreement and Privacy Notice provide details on the minimal amount of personal data processed by our SaaS application and also broader transparency on processing including organizational and technical measures in place.
Keelvar develops and hosts a multi-tenanted eSourcing SaaS web application based on Optimization technology. Keelvar supports modern web browsers hosting a Javascript/HTML client communicating with a RESTful API backend built using a secure web framework. Keelvar uses HTTPS and TLS 1.2 (or above) to encrypt all data transferred between the web browser and the RESTful API. The application can be used standalone or can be integrated with other systems using a documented API.
Default authentication for a registered user is completed using an email address and password with strong complexity requirements and ensuring that common or vulnerable passwords cannot be used. Passwords are securely stored using a PBKDF2 algorithm with a SHA256 hash. A time-based token is returned to the web client to authenticate subsequent API calls.
In addition to default authentication, TOTP based multi-factor authentication is available for user accounts using any standards based authenticator application such as Google authenticator.
Keelvar supports customer SSO integrations using SAML 2.0 or OpenID Connect. Keelvar can integrate with Active Directory if it is configured to expose a public identity provider such as via Azure EntraID.
Keelvar allows you to assign granular access to entities in Keelvar SaaS products with roles and permissions.
Keelvar implements best practice security standards in a shared responsibility model with our Infrastructure as a Service partner Amazon AWS. Keelvar have deployed a defense in depth design in the Dublin, Ireland (eu-west-1) AWS data center ensuring data is safe from a user’s web browser all the way through processing and encrypted storage in our backend systems. Amazon AWS IaaS provides best-in class infrastructure security compliance including ISO27001, SOC1, SOC2 with update to date information accessible on their compliance programs web page.
Amazon AWS is a leading IaaS provider with best in class security controls. Under the shared responsibility model, Amazon ensures the physical security of their data centers and are certified to the highest of standards.
Keelvar uses a combination of AWS Virtual Private Clouds (VPCs), VPC subnets, Network Access Control Lists (Network ACLs), AWS Security Groups, and AWS DB Subnet Groups to provide a defense in depth design for logical network level isolation between production and lower environments, and between the public internet and non-public infrastructure components.
All data in transit and at rest is encrypted in our infrastructure. Requests from a browser over the public internet are via HTTPS, encrypted using TLS 1.2 (or above). Traffic is decrypted at our load balancer before being re-encrypted for communication to application servers, and other infrastructure components. Application server and database volumes are encrypted with AES-256, with keys stored in FIPS 140-2 compliant hardware security modules.
Keelvar has deployed a threat detection system with continuous monitoring, anomaly detection, and notification of suspicious activity in our production systems. Suspicious behavior is automatically alerted to our DevSecOps team for investigation.
Keelvar maintains business continuity and disaster recovery plans focusing both on preventing outage through redundancy of telecommunications, systems and business operations, and on rapid recovery strategies in the event of an availability or performance issue. Keelvar SaaS data is stored in high availability AWS services and backed up frequently. Databases run in a multiple availability zone configuration in our primary Amazon AWS datacenter. Point in time recovery is enabled and nightly database snapshots are maintained. Data is synchronized to a separate disaster recovery data center to allow for failover should an issue arise with our primary datacenter. Keelvar tests disaster recovery of our SaaS application and verifies Recovery Time Objective (RTO) and Recovery Point Objectives (RPO) in test failovers to a separate disaster recovery data center.
Keelvar has detailed monitoring and alerting for our application health and infrastructure. Our application API exposes a health check endpoint that performs verification of application critical systems down to the database level. The health check in addition to endpoints such as authentication are pinged every minute to ensure application health. Infrastructure system monitoring alarms on specified thresholds such as server CPU, memory, disk space, network throughput. Where checks fail or monitoring thresholds are breached, Keelvar’s operations support team is notified for investigation, triage, and resolution if required.
Keelvar has detailed infrastructure and application logs allowing querying, investigations, and notifications on security log events. Logs from application usage are securely stored for audit purposes.
Keelvar has implemented controls to support data loss prevention and enabled DLP controls in systems with supporting functionality. These include identification and classification of sensitive data, data encryption, deny by default configuration, secure systems design based on least privilege, patch management, reporting, and anomaly detection to name a few.
Keelvar has a software development life cycle and secure coding policy that considers security during the change management process. Third party dependencies are security assessed and packages are retrieved from secure package managers. Code development occurs on a feature code branch and follows OWASP secure coding principles. A suite of automated security tests is run on each change request along with static code analysis. Code changes are manually reviewed before being approved for merging. Keelvar has a comprehensive suite of automation tests that verify a wide range of security and product functionality. These tests include verifying controls for the logical separation of tenant data are working and enforced.
In addition to code review, approval and automated tests; Keelvar has a QA process completed in a segregated QA environment operating on test data. As appropriate to the change; functional, regression, performance, and security testing takes place. Once the quality assurance team has verified the quality of the release it is approved for release deployment.
Keelvar has a vulnerability management program in place with security alerts from multiple sources triaged and actioned based on assessed priority. This includes GitHub Dependabot alerts for software dependencies with a reported vulnerability. Patches are deployed based on the vulnerability severity and risk, including with immediate effect for critical issues. Automation is used where possible.
Keelvar has documented incident management procedures to ensure Keelvar appropriately responds to any suspected or known vulnerabilities or data breach. Keelvar will notify impacted customers as early as the issue is identified and continue to update as the issue is investigated, assessed, remediated, and closed with final post mortem reporting. This includes notifications in line with legal requirements such as those defined under GDPR.
Keelvar staff are granted system access and training specific to their roles and responsibilities within the organization. Access to confidential or personal data is based on the principle of least privilege. Keelvar implements joiner/mover/leaver procedures in conjunction with security audits. Keelvar mandates the use of strong and unique passwords per service. Keelvar provides all employees access to secure password management software to enable strong password use. Two-factor authentication is enabled on all supporting services.
Keelvar is assessed at least annually by external independent auditors in line with ISO/IEC 27001:2022 and ISO/IEC 27701:2019 standards including ISO/IEC 27002:2022 annex controls.
Keelvar has an internal audit and risk management program in compliance with ISO security and privacy standards.
Keelvar partners with an independent third-party security company to perform annual web application penetration testing following OWASP testing guidelines.
Keelvar supports customer security and privacy audits and can provide a security pack of relevant information and reports to support assessments.
Keelvar has strong controls surrounding the capturing, storage, and life cycle of personal data and operates in line with GDPR. These include encryption of data in transit and at rest, data classification, and disposal procedures. Keelvar captures minimal personal data in our web application as identified in our application Privacy Notice. In the context of Keelvar’s SaaS product Keelvar is the data processor, and the customer, as the data controller, keeps ownership of their data. Keelvar works to ensure export compliance with non-EU sub-processors using Standard Contractual Clauses or Binding Corporate Rules.
Keelvar has a content rich support portal explaining production functionality and an interactive learning academy to ensure users have access to training and resources to support their product usage. Our Customer Success team is on hand to support users who submit tickets to our monitored support channel.
Keelvar’s application status can be viewed online with support for email notifications on status updates.
Our security, privacy, and AI teams can be contacted for any questions, transparency documentation, or incident reporting at the privacy@keelvar.com email address.
.png)
.svg)
