Your employee information is secure and available always
Data Privacy and Data Access
Our success hinges on providing a safe and trustworthy environment for your subscription data. Protecting your data is our obsession, which involves a cross-functional approach with initiatives big and small. Here’s an overview of the major themes of our privacy and security protocols.
Access to Databases and data storages is restricted to three senior executives in the organization. Developers do not have direct data access. The only way this data can be accessed in any human readable form by our developers is through independently designed authentication gateways. The gateway comprises a homegrown querying engine which masks private and personally identifiable information, throttles and audits all data query operations.
Our customer support personnel need access to your portal to provide support. Keka has taken extreme measures to protect privacy here too. For a Keka support person to assist you and access any information, they would have to be granted access by you explicitly and they are given a secure one-time random password generated for every such support incident. These temporary credentials can be terminated by the customer within minutes or will last at most an hour in case customer forgot to terminate.
Keka leverages Microsoft Azure and Amazon AWS cloud infrastructure each with it’s own private network. We do not use any other local or on-premise infrastructure to store any customer information on our development or test environments.
Keka maintains compliance with the EU’s General Data Protection Regulation and maintains product features, corporate protocols, and legal documents to help our users and customers comply.
Application security
Sessions between you and your portal are protected with in-transit encryption using 2,048-bit or better keys and TLS 1.0 or above. Users with modern browsers will use TLS 1.2 or 1.3.
Keka monitors potential attacks with several tools, including a web application firewall and network-level firewalling. In addition, the Keka platform contains Distributed Denial of Service (DDoS) prevention defenses to help protect your site and access to your products.
Keka implements static code analysis tools and human review processes in order to ensure consistent quality in our software development practices.Our Secure Coding practices are in accordance with OWASP guidance
Datacenter Protections
Keka products are hosted with cloud infrastructure providers with SOC 2 Type II and ISO 27001 certifications, among others. The certified protections include dedicated security staff, strictly managed physical access control, and video surveillance
Keka’s patch management process identifies and addresses missing patches within the product infrastructure. Server-level instrumentation ensures tracked software packages use the appropriate versions.
Keka’s security incident process flows and investigation data sources are pre-defined during recurring preparation activities and exercises and are refined through investigation follow-ups. We use standard incident response process structures to ensure that the right steps are taken at the right time.
Audits, Vulnerability Assessment & Penetration Testing
Keka tests for potential vulnerabilities on a recurring basis. We run static code analysis, and infrastructure vulnerability scans.
Keka leverages 3rd party penetration testing firms several times a year to test the Keka products and product infrastructure.
Keka conducts regular external audits and certification
Resiliency and Availability
Keka’s availability is consistently above 99.9%. Customer data is 100% backed up to multiple online replicas with additional snapshots.
Our product and operations team monitor application, software, and infrastructure behavior using proprietary and industry recognized solutions.
Keka maintains multiple failover instances to prevent outages from single points of failure.
Keka has robust controls in place to recover data and application code in shortest time. Recovery Point Objective (RPO) and Recovery Time Objective (RTO) when applied for data within same geography is 5 seconds and 1 Hour respectively. We have 45 days point in time restoration which allows us to restore any desired date and time within these last 45 days. RPO and RTO when applied for data stored in different geography in the unlikely event of a natural disaster is 12 hours and 1 hour respectively
