What is Keeper Security doing about GDPR?
We worked with TrustArc, a global leader in privacy compliance, to identify the changes in our business processes, privacy practices and products necessary to ensure that we are compliant with the GDPR.
As a zero-knowledge security company, GDPR is closely aligned with the core products and services that we provide. Compliance with international law and protecting the privacy of our customers is very important to us.
What is Zero Knowledge?
Keeper is a Zero-Knowledge security provider. The Keeper user is the only person that has full control over the encryption and decryption of their data. With Keeper, encryption and decryption occurs only on the user's device upon logging into the vault. Each individual record stored in the user's vault is encrypted with a 256-bit AES key that is randomly generated on the device. The record keys are protected by an additional key, called the Data Key. For users who login to Keeper with a master password, the Data Key is encrypted by a key derived on the device from the user's Master Password using PBKDF2 with 1,000,000 iterations. For users who login with SSO, the Data Key is encrypted by an Elliptic Curve private key. Data stored at rest on the user's device is also encrypted by another 256-bit AES key, called the Client Key. Secure record syncing between the user's devices is also encrypted at the network layer and routed through Keeper's Cloud Security Vault. This multi-tiered encryption model provides the most advanced data protection available in the industry.
What changes did Keeper Security implement to maintain GDPR compliance?
As a zero knowledge platform, the information stored in our product is fully encrypted and only available to the user. We have made changes to our analytics systems to ensure anonymity for our customers and we have made changes to allow you to control your consent about how any personal data that may be collected about you may be utilised or stored.
Is Keeper a data processor or data controller?
GDPR identifies two entities that may process personal data. A data controller decides which data to collect and what processing of personal data is done. A data processor acts at the direction of a data controller to collect, store, retrieve and/or delete personal data. Keeper Security is a data controller when we sell our password manager directly to consumers. We are a data processor when we sell to business, who in turn would be considered the data controllers.
How do I export my personal data?
To export your data, login to the Keeper Web Vault at https://keepersecurity.com/vault and click on "More >> Backup >> Export". You can download your stored information in either CSV or PDF format. If you have an expired account, please contact firstname.lastname@example.org and our support team will assist you in accessing your vault.
How do I request my data to be deleted?
Please email email@example.com and provide the email address associated with your Keeper account.
Where is my data stored?
Keeper operates data centers in multiple regions throughout the world with Amazon AWS. Enterprise customers may elect to establish their Keeper tenant in any supported primary region including: United States (US), United States GovCloud (US_GOV), Europe (EU), Australia (AU), Canada (CA) and Japan (JP). Customer data and access to the platform are isolated to that specific region. From each primary region, Keeper utilizes multi-zone and multi-region replication to ensure high availability. In the United States commercial region, Keeper utilizes East and West locations. In the US GovCloud data center, Keeper utilizes East and West locations. In Europe, Keeper utilizes Ireland and Frankfurt locations. In Australia, Keeper utilizes Canada as a DR region. In Canada, data is replicated within the country. In Japan, the primary region is Tokyo and replicated to Osaka. Individual consumer users who sign up through the Keeper Web Vault, desktop app or mobile apps may select the desired data center location on the account creation screen.
How do I transfer my data from the US data center to EU data center?
Please contact firstname.lastname@example.org for instructions and assistance in this data transfer.
How does Keeper Security help with our GDPR Compliance?
Zero-knowledge Architecture and Security: Keeper’s password manager is built from the ground-up on the idea that the individual user is the only person that can access their data. This is in perfect alignment with GDPR principles and data protection requirements. All encryption is done on the individual’s device(s). The data is encrypted in transit with Transport Layer Security (TLS) and stored in AES-256 encrypted ciphertext. By separating the data and encryption keys, no Keeper employee is ever able to access customer vault data. As per Article 34, if Keeper vault data were ever breached, the ciphertext would worthless to the attackers and therefore no notification would be required.
In addition to regular security reviews and tests, Keeper is SOC 2 Type 2 certified and ISO27001 certified annually.
Keeper utilises Amazon AWS hardened cloud infrastructure in multiple geographic locations to host and operate the Keeper Vault. Data at rest and in transit is fully isolated in a customer's preferred global data center. In other words, EU data stays in the EU. This provides customers with the fastest and safest cloud storage.
No Additional Processing: Keeper will never mine customer vault data for any purpose. First, it is a matter of policy at the highest levels of Keeper that we are committed to customer privacy. Second, because of our zero-knowledge architecture, it is technically impossible for us to do so. This follows GDPR principles of both organisation and technical policies to protect personal data.
Data Control: Customers may export their data (in csv, pdf format), modify or delete their vault records at any time. This enables the GDPR requirements that personal data may be transferred or deleted as soon as the intended use is completed, consent is withdrawn or the legitimate business purpose changes. Because the data subjects are able to self-serve their Keeper vaults, the data controller is relieved of a significant burden in GDPR compliance. The data is encrypted such that only the data subject can access it, so no employees can even see it, let alone have the need to access it.
Role-based Access Control: The security concept of least privilege means that employees should only have access to the minimum amount of data that they need to do their jobs. This is most often accomplished with role-based access control (RBAC).
Keeper integrates with Microsoft Active Directory (AD) to synchronize with nodes (organisational units), teams and users. Once connected, Keeper enables role-based access control at any node. Those controls can be cascaded to all lower nodes if desired. These controls on the Keeper vaults include master password strength, rotation time, 2FA requirements, IP whitelisting and more. Keeper locks accounts that are terminated in AD and those accounts may be transferred to trusted admins. This gives IT admins control over data accounts and assets throughout the organisation.
Admin Insight and Auditing: Keeper Enterprise provides insight into employee password strength, reuse and use of second-factor authentication. Keeper provides audit logs complete with timestamps and filters to enable rapid searches for anomalies, bad behavior, forensics or compliance reporting.