Keeper is fanatical about security. Keeper is the most secure, certified, tested and audited password security solution and privileged access management platform in the world. Keeper has the longest-standing SOC 2 and ISO certifications in the industry. Keeper is ISO 27001, 27017 and 27018 certified. Keeper is GDPR compliant, CCPA compliant, HIPAA compliant, FedRAMP and GovRAMP Authorized, PCI DSS certified and certified by TrustArc for privacy.
Keeper's software development teams consist of full-time employees located in the US.Keeper does not store passwords, credentials or secrets such as access keys in its source code. We regularly scan source code for this information. Keeper's source code, while privately held in Github Enterprise, does not provide the information required to access a user's vault, as encryption of data occurs at the device level. Much of this code is published in our public Github repository as part of Keeper's Commander and Secrets Manager products.Keeper does not embed third-party MFA provider code into our apps. Keeper's vendors he not been subject to any breaches involving Keeper. Keeper does not provide any third parties with management or access to our AWS data centers. All management is performed by full-time employees of Keeper Security who are US citizens, located in the US. ISO 27001, 27017 and 27018 SOC 2 FedRAMPGovRAMP HIPAAGDPRPCI DSS Level 1 TRUSTeLevel 1 FIPS 140-3 FIPS 140-3 ValidatedKeeper utilizes FIPS 140-3 validated encryption modules to address rigorous government and public sector security requirements. Keeper's encryption has been certified by the NIST Cryptographic Module Validation Program (CMVP) and validated to the FIPS 140 standard by accredited third-party laboratories.
Keeper uses FIPS 140-3 validated encryption that has been issued certificate #4743 under the NIST CMVP.
ITAR CompliantKeeper Security Government Cloud (KSGC) supports compliance with the United States International Traffic in Arms Regulations (ITAR). Companies that are subject to ITAR export regulations must control unintended exports by restricting access to protected data to U.S. Citizens and by restricting the physical location of protected data to the U.S.
KSGC's FedRAMP Moderate environment supports ITAR requirements through the following:
Fully-compliant data storage is hosted on AWS GovCloud and restricted to the US. KSGC provides secure data encryption in transit and at rest.Zero-knowledge and zero-trust security, in conjunction with granular permissions, allows organizations to ensure that only approved personnel can access sensitive data. Robust compliance reporting features provide a traceable, electronic audit trail of all actions performed and data entered.The sequestered customer success team is composed of US Citizens specifically trained in a safe handling of export-controlled and ITAR-governed data, with no non-US-based support.The Keeper FedRAMP environment has been audited by an independent third-party assessment organization (3PAO) to validate that proper controls are in place to support customer export compliance programs and continues to be audited annually as required to maintain compliance.
More information about ITAR.
FedRAMP AuthorizedKSGC is Keeper Security's password management and cybersecurity platform for public sector organizations. KSGC is a FedRAMP Authorized provider at the Moderate Impact Level, hosted in AWS GovCloud (US). KSGC can be found on the FedRAMP Marketplace.
The Federal Risk and Authorization Management Program (FedRAMP) is a US federal government program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. FedRAMP seeks to accelerate the adoption of modern cloud-based solutions by government agencies, with an emphasis on security and the protection of federal information. Learn more about FedRAMP.
GovRAMP AuthorizedGovRAMP was developed about a decade after FedRAMP, with the goal of encouraging the adoption of secure cloud-based solutions at state and local government levels. Achieving GovRAMP Authorization is normally a two-year process that was streamlined through a reciprocity program thanks to Keeper's FedRAMP Authorization.
SOC 2 CompliantCustomer vault records are protected using stringent and tightly monitored internal control practices. Keeper has been certified as SOC 2 Type 2 compliant for over ten years in accordance with the AICPA Service Organization Control framework. SOC 2 compliance helps ensure user vaults are kept secure through the implementation of standardized controls as defined in the AICPA Trust Service Principles framework.
ISO CertificationsKeeper is ISO 27001, 27017 and 27018 certified, covering the Keeper Security Information Management System and Cloud Infrastructure, which supports the Keeper Enterprise Platform. Keeper's ISO certifications include the management and operation of the digital vault and cloud services, cloud security controls, data privacy controls, software and application development and protection of digital assets for both the digital vault and cloud services.
FDA 21 CFR Part 11 CompliantKeeper is compliant with 21 CFR Part 11, which applies to scientists working in highly regulated environments, including researchers who conduct clinical trials. This regulation specifies FDA criteria under which electronic records and signatures are considered to be trustworthy, reliable and equivalent to paper records with handwritten signatures. Specifically, scientists must ensure that all software they use complies with 21 CFR Part 11 rules regarding:
Security controls for user identification - Keeper complies with 21 CFR Part 11 requirements for security features that limit user access and their privileges, including ensuring that all users he unique usernames and passwords, the ability to detect and prevent unauthorized system access and the ability to lock compromised accounts.
Detailed audit trailDuring FDA inspections, regulators require researchers to provide an audit trail detailing a chronological record of all operations. Keeper's compliance reporting features allow researchers to easily produce traceable electronic audit trails.
Electronic SignaturesWhen a document requires a legally binding electronic signature, 21 CFR Part 11 requires that the signature be attached to a unique login and password or biometric identification. Keeper supports this requirement by enabling researchers to ensure that all users he unique usernames and passwords, securely stored in a digital vault that only the user can access.
More information on 21 CFR Part 11 is located here.
Protection of patient medical dataKeeper software is compliant with global, medical data protection standards covering, without limitation, HIPAA (Health Insurance Portability and Accountability Act) and DPA (Data Protection Act).
HIPAA Compliance and Business Associate AgreementsKeeper is a SOC2-certified and ISO 27001-certified zero-knowledge security platform that is HIPAA compliant. Strict adherence and controls covering privacy, confidentiality, integrity and ailability are maintained. With this security architecture, Keeper cannot decrypt, view or access any information, including ePHI, stored in a user's Keeper Vault. For the foregoing reasons, Keeper is not a Business Associate as defined in the Health Insurance Portability and Accountability Act (HIPAA), and therefore, is not subject to a Business Associate Agreement.
To learn more about the additional benefits for healthcare providers and health insurance companies, please read this entire Security Disclosure and visit our Enterprise Guide.
FSQS-NL CertifiedKeeper Security EMEA Limited is certified under the Hellios Financial Services Qualification System-Netherlands (FSQS-NL) which recognizes the highest standards in security, quality and innovation in the Netherlands. This standard demonstrates compliance with the Financial Conduct Authority and the Prudential Regulation Authority to ensure the trustworthiness of Keeper Enterprise software for large banks and financial institutions.
U.S. Department of Commerce Export Licensed Under EARKeeper is certified by the U.S. Department of Commerce Bureau of Industry and Security under Export Commodity Classification Control Number 5D992, in compliance with Export Administration Regulations (EAR).For more information about EAR: https://www.bis.doc.gov
24x7 remote monitoringKeeper is monitored 24x7x365 by full time DevOps staff and a global third-party monitoring network to ensure that our website and Cloud Security Vault are ailable worldwide.
If you he any questions regarding this security disclosure, please contact us.
Phishing or spoofed emailsIf you receive an email purporting to be sent from Keeper Security and you are unsure if it is legitimate, it may be a “phishing email” where the sender's email address is forged or “spoofed”. In that case, an email may contain links to a website that looks like KeeperSecurity.com but is not our site. The website may ask you for your Keeper Security master password or try to install unwanted software on your computer in an attempt to steal your personal information or access your computer. Other emails contain links that may redirect you to other potentially dangerous web sites. The message may also include attachments, which typically contain unwanted software called "malware." If you are unsure about an email received in your inbox, you should delete it without clicking any links or opening any attachments.
If you wish to report an email purporting to be from Keeper that you believe is a forgery or you he other security concerns involving other matters, please contact us.
Hosting infrastructure certified to the strictest industry standardsThe Keeper website and cloud storage runs on secure Amazon Web Services (AWS) cloud computing infrastructure. The AWS cloud infrastructure which hosts Keeper's system architecture has been certified to meet the following third-party attestations, reports and certifications:
SOC 2PCI DSS Level 1 FIPS 140-3 ISO 27001, 27017 and 27018FedRAMP GovRAMP