Keyplay Security & Data Privacy
We prioritize security and privacy with a company-wide program. This page provides an overview of our security policies & practices. For any security inquiries, please email security@keyplay.io.
Our Commitment
At Keyplay, commitment to security is one of our core values. We understand that our service is only as strong as the security and trust we build with you, our customers. That's why we're committed to leading the industry in security practices, ensuring that your data is protected with the most advanced technologies and policies available.
Security Objectives
Our approach to security is designed around three key objectives:
- Confidentiality: Ensuring that your information is accessible only to authorized individuals.
- Integrity: Protecting your data from unauthorized changes to preserve its accuracy and reliability.
- Availability: Making sure that the services you rely on are available when you need them.
Application Security
Security isn't just a feature; it's an integral part of our software development lifecycle. Here's how we protect your data:
- HTTPS Everywhere: All data sent to and from our app is encrypted in transit using HTTPS, so your information stays secure.
- Secure SDLC: From automated static code analysis to human code reviews and a defined issue resolution process, we've built security into every step of our development lifecycle.
- Continuous Deployment: We deploy updates continuously. This means that security improvements and bug fixes are implemented swiftly, keeping our service safe and your experience smooth.
- Rapid Patching: Our development process is designed for agility, allowing us to prioritize and patch vulnerabilities immediately, ensuring that our defenses are always up to date.
- OAuth Protocols & SSO Support: We leverage industry-standard OAuth protocols to enable secure, token-based authentication, supporting SSO for a streamlined user access experience. This approach ensures that user identities are managed safely, with robust authentication mechanisms underpinning our application's security.
Data Privacy and Protection
- No PII Processing: We focus solely on company-level data (account records), avoiding the processing of any Personally Identifiable Information (PII) or contact level data.
- CRM Integration Security: We request only the minimal necessary permission scopes for our CRM integrations, maintaining a strong security posture while providing seamless service.
- Robust Data Backups: Your data is regularly backed up across multiple snapshots, ensuring that it's recoverable in the event of an incident.
Data Transfer and Storage
- All customer data is stored securely in Google Cloud Platform (GCP) in the United States.
- Data is stored encrypted at rest using the AES-256 encryption cipher, considered one of the strongest available technologies for safeguarding information.
- All data within our system is encrypted in transit using TLS 1.3 (a strong protocol), ECDHE (a strong key exchange), and AES_128_GCM (a strong cipher). Our certificates are managed and issued by Google, ensuring high trust and reliability.
- All data synchronized with 3rd-party systems is encrypted in transit using TLS, leveraging certificates owned by our partners. This approach ensures that data remains secure and private, even when integrated with external services.
- Backup media are encrypted using the same AES-256 encryption cipher as live data at rest. Additionally, measures are in place to secure these backups during transfer, mirroring the protection offered to live data.
- Removable storage is never used in order to prevent data leakage and ensure that all data remains within our secure, controlled environments.
Infrastructure Security
Hosted on the Google Cloud Platform (GCP) in the US-West region, our infrastructure benefits from:
- State-of-the-Art GCP Security: Leveraging GCP means we inherit a secure, well-managed infrastructure without the overhead of maintaining physical servers, routers, or DNS servers.
- Geographic Specificity: Hosting in the US-West region allows us to comply with local regulations and principles of data sovereignty.
- Compliance with Highest Standards: GCP data centers feature layered security including electronic access cards, alarms, and biometrics, and are ISO 27001, SOC 2 Type II, and SOC 3 certified. GCP also meets ISO 27017 for cloud security and ISO 27701 for privacy management standards. Redundancy is integrated into power, network, and cooling systems to ensure high availability and resilience.
Access Control and Monitoring
To further protect your data:
- Privileged Access: We strictly limit access to our databases and other sensitive systems to authorized users who have a legitimate business need.
- Continuous Monitoring: Our team uses industry-recognized solutions to monitor software and application behavior, ensuring any anomalies are quickly identified and addressed.
Compliance and Best Practices
Keyplay actively upholds industry standard internal policies and practices to ensure our systems are secure and available.
- Executive Leadership: Our CTO is directly responsible for our security program and governance process, employee training, and customer transparency.
- Security Training: Security is a frequent topic in our product planning process and all employees participate in annual company security training. Outside of our established review cadence, we have ongoing assessment and iteration to meet the changing needs of our customers.
- Business Continuity Plan (BCP) and Disaster Recovery: We maintain documented plans that all employee can access to ensure business continuity
Additional Information
We're not just committed to providing a secure platform; we're committed to being your partner in security. If you have any questions about our practices or how we protect your data, we encourage you to get in touch with us at security@keyplay.io.