The security of your data is critical, which is why Keypup uses proven industry standards to safeguard your data.
Keypup is SOC 2 Type II and ISO27001 certified. Audit control points can be reviewed in detail on our Trust Center.
Below are commonly asked questions about Keypup and how we handle security.
Do you fetch my code from GitHub, GitLab, or Bitbucket?
No, we don't.
Keypup uses your OAuth token to access metadata such as pull requests, issues, labels, comments, etc., but never accesses your codebase via git/https/api checkouts.
Do you fetch my code from Azure DevOps?
Yes, but we can disable this option for you.
Azure DevOps does not expose git statistics for PRs and commits on its API. The only way to obtain statistics on lines changed is to perform a git checkout and compare commits.
You can contact our support team prior to importing your Azure DevOps projects to disable the fetching of the code. If you choose to disable this feature, please be aware that pull requests and commits will not have diff stats information (line changed, lines added, lines removed) on Keypup.
We take the security of your code very seriously. Here are the measures we have in place to protect your repositories:
The code is fetched on a private bucket within Google Cloud Platform (GCP)
Code data is encrypted at rest and in transit
Repository names are masked to prevent identification.
Our staff does not have access to the code.
The code is automatically and permanently deleted from our servers 24 hours after the last diff-stat operation is performed.
How do you manage authorization tokens?
Authorization tokens for third-party apps such as GitHub, JIRA, etc., are obtained through OAuth2 flows and captured by Auth0, a service provider specialized in authentication flows.
After the initial connection flow, tokens are captured by our platform in isolated and app-specific components. Tokens are stored in disk-encrypted databases and use field-level encryption with component-level secret and record-level initialization vectors to ensure maximum security. Both use AES-256-GCM for encryption.
Third-party tokens are never exposed by our APIs. The isolated components mentioned above receive the required tokens via push.
Is traffic encrypted?
Yes.
External and internal traffic is encrypted using TLS:
Connections to third-party platforms use HTTPS
Connections between Keypup components use HTTPS
Connections to datastores use secure tunnels.
How do you secure platform access and APIs?
All our websites and APIs are proxied through Cloudflare to mitigate intrusions and prevent DDoS attacks.
Login to the platform is done through Auth0. User profiles and access are all managed by Auth0 to secure your account.
API accesses are secured through Auth0 via OAuth2 scopes. This includes User to API and component to component communications. The platform uses a least privilege approach where each component has minimal access, based on scopes, to other components' API.
Is data encrypted at rest?
Yes.
All data is encrypted at rest using AES-256-GCM.
Keypup hosts its infrastructure and data on Google Cloud Platform (GCP), which is ISO27001 and SOC2 compliant.
Is data backed up?
Yes. All our databases have live replicas and are backed up daily. The replication and backup processes are managed by Google Cloud Platform.
Do you share data with third parties?
Keypup uses three trusted third parties for support and communication:
Intercom: We use Intercom for customer support. Names and emails are exposed to Intercom so as to allow customers to be identified.
Mailgun: We use Mailgun to send system emails (e.g., user invite email). Names and emails are exposed to Mailgun when sending emails, but are not structurally stored by Mailgun.
Hubspot: We use Hubspot to send protips and recommendations by email. It is also used to send our monthly newsletter. Names and emails are stored by HubSpot for the purpose of sending emails.
We NEVER share business data from your apps - E.g., GitHub, GitLab, JIRA, etc - with third parties. Business data is stored in our virtual private cloud hosted by Google Cloud Platform and is processed inside that private cloud without the need to involve third parties.
Can users in my Keypup team potentially abuse my admin connection to GitHub, GitLab, etc?
No, admin tokens cannot be used by company members.
Keypup manages two types of tokens:
App token: This is the token generated when you - as an admin - connect an app to Keypup. This token is only used to fetch and refresh data from projects you have connected. This token is never used in ad-hoc actions such as updating data in third-party apps.
Personal token: This is the token generated for each user when they link an identity (e.g., Login via GitHub). This token is used to perform ad-hoc actions such as commenting on a card from Keypup. Personal tokens ensure that actions performed in third-party apps from Keypup are properly attributed to the user they originate from and properly authorized by the third-party app.
β