Your data and your code are critical. We work hard to ensure that your data are safe with us. 

Below are commonly asked questions about Keypup and how we handle security.

> Do you fetch my code from GitHub or GitLab?

No we don't.

Keypup uses your OAuth token to access metadata such as pull requests, issues, labels, comments etc. but never accesses your codebase via git/https/api checkouts.

Our engine does not require access to your code to evaluate the prioritization of tasks. Metadata provided by GitHub and GitLab - potentially coupled with project management information from JIRA, Trello or Clickup - provide more than enough context for us to evaluate priorities.

Be assured that if we ever needed to access your code in the future in order to deliver a new feature we would make it an opt-in feature, the same way GitHub does for security analysis features.

> How do you manage authorization tokens?

Authorization tokens for third-party apps such as GitHub, JIRA etc. are obtained through OAuth2 flows and captured by Auth0 - a service provider specialized in authentication flows.

After the initial connection flow tokens are captured by our platform in isolated and app-specific components. Tokens are stored in disk-encrypted databases and use field-level encryption with component-level secret and record-level initialization vectors to ensure maximum security. Both use AES-256-GCM for encryption.

Third-party tokens are never exposed by our APIs. The isolated components mentioned above receive the required tokens via push.

> Is traffic encrypted?

Yes. External and internal traffic is encrypted using TLS:

  • Connections to third-party platforms use HTTPS

  • Connections between Keypup components use HTTPS

  • Connections to datastores use secure tunnels

> How do you secure APIs and accesses?

All our websites and APIs are proxied through Cloudflare to mitigate intrusions and prevent DDoS attacks.

Login to the platform is made through Auth0. User profiles and accesses are all managed by Auth0 to secure your account.

API accesses are secured through Auth0 via OAuth2 scopes. This includes User to API and component to component communications. The platform uses a least privilege approach where each component has minimal access - based on scopes - to other components' API.

> Are data encrypted at rest?

Yes. All data are encrypted at rest using AES-256-GCM.

Keypup hosts its infrastructure and data on Google Cloud Platform (GCP), which is ISO27001 and SOC2 compliant.

> Are data backed up?

Yes. All our databases have live replicas and are backed up daily. The replication and backup processes are managed by Google Cloud Platform.

> Do you share data with third-parties?

Keypup uses three trusted third-parties for support and communication:

  • Intercom: we use Intercom for customer support. Names and emails are exposed to Intercom so as to allow customers to be identified.

  • Mailgun: we use Mailgun to send system emails (e.g. user invite email). Names and emails are exposed to Mailgun when sending emails but are not structurally stored by Mailgun.

  • Mailchimp: we use Mailchimp to send our monthly newsletter. Names and emails are stored by Mailchimp for the purpose of sending emails.

We NEVER share business data from your apps - e.g. GitHub, GitLab, JIRA etc.. - with third-parties. Business data are stored in our virtual private cloud hosted by Google Cloud Platform and are processed inside that private cloud without the need to involve third-parties.

> Can users in my Keypup team potentially abuse of my admin connection to GitHub, GitLab etc..?

No, admin tokens cannot be used by company members. 

Keypup manages two types of tokens:

  • App token: this is the token generated when you - as an admin - connect an app to Keypup. This token is only used to fetch and refresh data from projects you have connected. This token is never used in ad-hoc actions such as updating data in third-party apps.

  • Personal token: this is the token generated for each user when they link an identity (e.g. Login via GitHub). This token is used to perform ad-hoc actions such as merging pull requests from Keypup or commenting on an issue. Personal tokens ensure that actions performed in third-party apps from Keypup are properly attributed to the user they originate from and properly authorized by the third-party app.

Did this answer your question?