Security Policy

We understand that security is critical, and we follow best practices and strict procedures to keep our systems, and your data, safe. We perform regular penetration testing and audits of Keypup and its infrastructure.

A. Source code protection

All access to source code repository APIs is performed using encrypted TLS connections.

A1.Source code protection on keypup

Keypup does not fetch nor persist source code files. Keypup only accesses metadata such as pull requests, issues, milestones etc.

Keypup only ingests metadata and metrics associated with repositories and projects that have been added within the administrative user interface. For each repository, we extract issues, pull requests, reviews, milestones and comments.

Do you fetch our code from Github, Gitlab or Bitbucket?

No we don't. Keypup uses your OAuth token to access metadata such as pull requests, issues, labels, comments etc. but never accesses your codebase via git/https/api checkouts.

Our engine does not require access to your code to evaluate the prioritization of tasks. Metadata provided by GitHub and GitLab - potentially coupled with project management information from JIRA, ClickUp etc.. - provide more than enough context for us to evaluate priorities.

Be assured that if we ever needed to access your code in the future in order to deliver a new feature we would make it an opt-in feature, the same way GitHub does for security analysis features.

A2. employees access to customer data

No Keypup staff will access private customer data unless expressly authorized by the user. In cases where staff must access source code in order to perform support, we will get your explicit consent each time, except when responding to a security issue or suspected abuse.

When working a support issue we do our best to respect your privacy as much as possible, we only access the minimum data needed to resolve your issue. Staff does not have direct access to clone your repository.

B. Product security

B1. single sign on (sso)

Our products support single sign on (SSO) via the repositories or some other integrated services for authentication. It is the most secure way to access the Keypup platform.

B2. permissions

Our products provide role-based access control for authorization, allowing you to control who can access application settings, user management, features, etc.

In the case of Github repositories, the repo and public repo scopes grant read and write access to code. While we will never write code to your repository, currently these OAuth scopes are the most narrow that GitHub supports for our use case (there is no repo:read e.g.).

b3. credentials storage

Keypup stores all API tokens in database using record-level encryption. The encryption algorithm uses AES-256-GCM with per record initialization vector.

All components storing API tokens are backend components and are not exposed to users directly.

How do you secure APIs and access?

All our websites and APIs are proxied through Cloudflare to mitigate intrusions and prevent DDoS attacks.

Login to the platform is made through Auth0. User profiles and accesses are all managed by Auth0 to secure your account.API accesses are secured through Auth0 via OAuth2 scopes.

This includes User to API and component to component communications. The platform uses a least privilege approach where each component has minimal access - based on scopes - to other components' API.

b4. Uptime

Our systems have uptime of 99% or higher, and we proactively advise users in case of a production incident that could adversely affect them. Our overall system's availability can be viewed at any time at http://status.keypup.io .

C. Network and application security

C1. data hosting and storage

Keypup hosts its infrastructure and data in Google Cloud Platform (GCP), which is ISO27001 and SOC2 compliant. All data stored by Keypup on GCP are encrypted at rest. All internal communications between components are encrypted in transit via TLS.

We follow GCP’s best practices which allows us to take advantage from their secure, distributed, fault tolerant environment. To find out more information about GCP security practices, see: https://cloud.google.com/security/

C2. failover and disaster recovery

Our systems were designed and built with disaster recovery in mind. Our infrastructure and data are spread across at least two GCP availability zones and systems will continue to work should any one of these data centers fail.

All datastores have at least one live read replica.

Is our data backed up?

Yes. All our databases have live replicas and are backed up daily. The replication and backup processes are managed by Google Cloud Platform.

C3. virtual private cloud

All of our servers are within our own virtual private cloud (VPC) on GCP, with network access controls that prevent unauthorized connections to internal resources.

C4. backups and monitoring

Keypup uses GCP’s built-in capability to backup all datastores every day.On an application level, we produce audit logs for all activity, forward logs to centralized storage for analysis via GCP Stackdriver. Logs are retained for 30 days for investigation purposes.

C5. permissions and authentication

Access to customer data is limited to authorized employees who require it for their job. All access to the Keypup websites is restricted to HTTPS encrypted connections.

Keypup enforces policies that require strong password policies and 2-factor authentication (2FA) on repositories and Google to ensure access to cloud services are protected.

Can company users potentially abuse my admin access to Github, Gitlab or another app?

No, admin tokens cannot be used by company members. Keypup manages two types of tokens:

App token: this is the token generated when you - as an admin - connect an app to Keypup. This token is only used to fetch and refresh data from projects you have connected. This token is never used in ad-hoc actions such as updating data in third-party apps.

Personal token: this is the token generated for each user when they connect an identity (e.g. Login via GitHub). This token is used to perform ad-hoc actions such as merging pull requests from Keypup or commenting on an issue. Personal tokens ensure that actions performed in third-party apps from Keypup are properly attributed to the user they originate from and properly authorized by the third-party app.

C6. encryption

All servers and disks are encrypted using AES256. This is managed by GCP.Keypup stores all API tokens in database using record-level encryption. The encryption algorithm uses AES-256-GCM with per record initialization vector.

All data sent to or from Keypup systems is encrypted in transit using TLS v1.2. Digests and hashes are generated using SHA256 and/or bcrypt depending on the use.

How do you manage authorization tokens?

Authorization tokens for third-party apps such as GitHub, JIRA etc. are obtained through OAuth2 flows and captured by Auth0 - a service provider specialized in authentication flows.

After the initial connection flow tokens are captured by our platform in isolated and app-specific components. Tokens are stored in disk-encrypted databases and use field-level encryption with component-level secret and record-level initialization vectors to ensure maximum security. Both use AES-256-GCM for encryption.

Third-party tokens are never exposed by our APIs. The isolated components mentioned above receive the required tokens via push.

C7. Pentests and vulnerability scanning

Keypup continuously scans for vulnerabilities. We regularly perform thorough penetration tests on our application and infrastructure.

C8. incident response

Keypup implements an Incident Response Policy for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

D. Payment security

D1. third-party payment processor

Keypup uses the services of Stripe (https://stripe.com) as a payment processor. This third-party payment processor stores your credit card details information and process your payment. Keypup does not.

D2. security of third-party payment processor

Stripe is a US-based company, certified with the highest industry standards and has obtained regulatory licenses around the world, including:
- PCI DSS Level 1 certification
- SSAE18/ SOC1 type 1 and type 2 and SSAE18/SOC2 type 1 and type 2 reports
- Money Transmitter Licences across the US
- E-Money Licenses in the EU and the UK
- PSD2 and Strong Customer Authentication (SCA) compliant.

More details can be found at https://stripe.com/docs/security/stripe.

E. Additional security information

E1. DATA Processing

Our full Data Processing Agreement (DPA) can be consulted on this page and provides full information about how Keypup handles data.

E2. training

All Keypup employees complete security awareness training annually.

E3. policies

Keypup has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

E4. employees vetting

Keypup performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.

E5. confidentiality

All employee contracts include a confidentiality agreement.

E6. Offices security

Keypup's offices require badge access at all hours. Visitors are required to sign in and be escorted at all times.

F. Reporting an issue

Your input and feedback on our security as well as responsible disclosure is always appreciated. If you've discovered a security concern, please email us at [email protected] . We'll work with you to make sure we understand the issue and address it. We consider security correspondence and vulnerabilities our highest priorities and will work to promptly address any issues that arise.

Please act in good faith towards our users' privacy and data during this process. White hat researchers are always appreciated and we won't take legal action against you if act accordingly.

Thank you