The security of your data is critical. This is why we deploy at all times best and proven industry practices to ensure your data is safe on our platform.
Below are commonly asked questions about Keypup and how we handle security.
Do you fetch my code from GitHub, GitLab or Bitbucket?
No we don't.
Keypup uses your OAuth token to access metadata such as pull requests, issues, labels, comments etc. but never accesses your codebase via git/https/api checkouts.
How do you manage authorization tokens?
Authorization tokens for third-party apps such as GitHub, JIRA etc. are obtained through OAuth2 flows and captured by Auth0 - a service provider specialized in authentication flows.
After the initial connection flow, tokens are captured by our platform in isolated and app-specific components. Tokens are stored in disk-encrypted databases and use field-level encryption with component-level secret and record-level initialization vectors to ensure maximum security. Both use AES-256-GCM for encryption.
Third-party tokens are never exposed by our APIs. The isolated components mentioned above receive the required tokens via push.
Is traffic encrypted?
Yes. External and internal traffic is encrypted using TLS:
Connections to third-party platforms use HTTPS
Connections between Keypup components use HTTPS
Connections to datastores use secured tunnels.
How do you secure APIs and accesses?
All our websites and APIs are proxied through Cloudflare to mitigate intrusions and prevent DDoS attacks.
Login to the platform is done through Auth0. User profiles and accesses are all managed by Auth0 to secure your account.
API accesses are secured through Auth0 via OAuth2 scopes. This includes User to API and component to component communications. The platform uses a least privilege approach where each component has minimal access - based on scopes - to other components' API.
Is data encrypted at rest?
Yes. All data is encrypted at rest using AES-256-GCM.
Keypup hosts its infrastructure and data on Google Cloud Platform (GCP), which is ISO27001 and SOC2 compliant.
Is data backed up?
Yes. All our databases have live replicas and are backed up daily. The replication and backup processes are managed by Google Cloud Platform.
Do you share data with third-parties?
Keypup uses three trusted third-parties for support and communication:
Intercom: we use Intercom for customer support. Names and emails are exposed to Intercom so as to allow customers to be identified.
Mailgun: we use Mailgun to send system emails (e.g. user invite email). Names and emails are exposed to Mailgun when sending emails but are not structurally stored by Mailgun.
Hubspot: we use Hubspot to send protips and recommendations by email. It is also used to send our monthly newsletter. Names and emails are stored by Hubspot for the purpose of sending emails.
We NEVER share business data from your apps - E.g. GitHub, GitLab, JIRA etc.. - with third-parties. Business data is stored in our virtual private cloud hosted by Google Cloud Platform and is processed inside that private cloud without the need to involve third-parties.
Can users in my Keypup team potentially abuse my admin connection to GitHub, GitLab etc..?
No, admin tokens cannot be used by company members.
Keypup manages two types of tokens:
App token: this is the token generated when you - as an admin - connect an app to Keypup. This token is only used to fetch and refresh data from projects you have connected. This token is never used in ad-hoc actions such as updating data in third-party apps.
Personal token: this is the token generated for each user when they link an identity (e.g. Login via GitHub). This token is used to perform ad-hoc actions such as commenting on a card from Keypup. Personal tokens ensure that actions performed in third-party apps from Keypup are properly attributed to the user they originate from and properly authorized by the third-party app.
โ