Keypup Security

Version 1.0 – Updated 5th December 2019

We understand that security is critical, and we follow best practices and strict procedures to keep our systems, and your data, safe. We perform regular penetration testing and audits of Keypup and its infrastructure.

A. Source code protection

All access to source code repository APIs is performed using encrypted TLS connections.

A1. Source code protection on Keypup

Keypup does not fetch nor persist source code files. Keypup only accesses metadata such as pull requests, issues, milestones etc. 

Keypup only ingests metadata and metrics associated with repositories and projects that have been added within the administrative user interface. For each repository, we extract issues, pull requests, reviews, milestones and comments.

A2. Employee access to Customer Data

No Keypup staff will access private customer data unless expressly authorized by the user. In cases where staff must access source code in order to perform support, we will get your explicit consent each time, except when responding to a security issue or suspected abuse.

When working a support issue we do our best to respect your privacy as much as possible, we only access the minimum data needed to resolve your issue. Staff does not have direct access to clone your repository.

B. Product Security

B1. Single Sign On (SSO)

Our products support single sign on (SSO) via the repositories for authentication. It is the only way for users to access the Keypup platform. 

B2. Permissions

Our products provide role-based access control for authorization, allowing you to control who can access application settings, user management, features, etc.

 

In the case of Github repositories, the repo and public repo scopes grant read and write access to code. While we will never write code to your repository, currently these OAuth scopes are the most narrow that GitHub supports for our use case (there is no repo:read e.g.).

B3. Credential storage

Keypup stores all API tokens in database using record-level encryption. The encryption algorithm uses AES-256-GCM with per record initialization vector.

All components storing API tokens are backend components and are not exposed to users directly. 

B4. Uptime

Our systems have uptime of 99% or higher, and we proactively advise users in case of a production incident that could adversely affect them. 

C. Network and application security

C1. Data hosting and storage

Keypup hosts its infrastructure and data in Google Cloud Platform (GCP), which is ISO27001 and SOC2 compliant

All data stored by Keypup on GCP are encrypted at rest. All internal communications between components are encrypted in transit via TLS. 

 

We follow GCP’s best practices which allows us to take advantage from their secure, distributed, fault tolerant environment. To find out more information about GCP security practices, see: https://cloud.google.com/security/

C2. Failover and disaster recovery

Our systems were designed and built with disaster recovery in mind. Our infrastructure and data are spread across at least two GCP availability zones and systems will continue to work should any one of these data centers fail.

All datastores have at least one live read replica.

C3. Virtual private cloud

All of our servers are within our own virtual private cloud (VPC) on GCP, with network access controls that prevent unauthorized connections to internal resources.

C4. Backups and monitoring

Keypup uses GCP’s built-in capability to backup all datastores every day.

On an application level, we produce audit logs for all activity, forward logs to centralized storage for analysis via GCP Stackdriver. Logs are retained for 30 days for investigation purposes.

C5. Permissions and authentication

Access to customer data is limited to authorized employees who require it for their job. All access to the Keypup websites is restricted to HTTPS encrypted connections.

Keypup enforces policies that require strong password policies and 2-factor authentication (2FA) on repositories and Google to ensure access to cloud services are protected.

C6. Encryption

All servers and disks are encrypted using AES256. This is managed by GCP.

Keypup stores all API tokens in database using record-level encryption. The encryption algorithm uses AES-256-GCM with per record initialization vector.

All data sent to or from Keypup systems is encrypted in transit using TLS v1.2.

Digests and hashes are generated using SHA256 and/or bcrypt depending on the use.

C7. Pentests and vulnerability scanning

Keypup continuously scans for vulnerabilities. We regularly perform thorough penetration tests on our application and infrastructure.

C8. Incident response

Keypup implements an Incident Response Policy for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

D. Additional security information

D1. Training

All Keypup employees complete security awareness training annually.

D2. Policies

Keypup has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

D3. Employee vetting

Keypup performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.

D4. Confidentiality

All employee contracts include a confidentiality agreement.

D5. Headquarters security

Keypup headquarters require badge access at all hours. Visitors are required to sign in and be escorted at all times.

E. Reporting an issue

Your input and feedback on our security as well as responsible disclosure is always appreciated. If you've discovered a security concern, please email us at security@keypup.io . We'll work with you to make sure we understand the issue and address it. We consider security correspondence and vulnerabilities our highest priorities and will work to promptly address any issues that arise.

Please act in good faith towards our users' privacy and data during this process. White hat researchers are always appreciated and we won't take legal action against you if act accordingly.

Thank you