Security

Information security at Keen

Keen takes securing your data seriously. Our Information Security program takes a multi-layer, ‘Defense in Depth’ approach to securing our products, networks, and the data our customers entrust us with.

Network security

Keen’s production network supporting the Keen Platform is physically segmented from the office network. Access to all production databases, systems, infrastructure and deployment pipelines require use of a VPN. Multi-factor authentication is required for access to all cloud and office platforms and infrastructure components.

Physical security

Access to Keen’s offices is restricted. Employees are issued keyfobs for access to the HQ office. Guests must be admitted by an employee and escorted during their visit. Access reports are regularly reviewed.

The Keen Platform is hosted in the cloud. The cloud services used by Keen are SOC2 compliant.

Vulnerability management

Vulnerability and policy scans are automated. Any detected vulnerabilities are logged, prioritized, and remediated based on their criticality.

Identity and access management

Keen adheres to the practices of least privileged access. Role-based access control is employed to ensure Keen employees can only access information on a need-to-know basis relating specifically to their job function. All login attempts to Keen’s systems are logged and monitored.

Third-party penetration testing

Keen engages third-party partners to perform external penetration testing against applications and networks at a minimum on an annual basis.

Log and event management

Keen has deployed a SIEM (Security Information and Event Management) solution that collects and analyzes events from production systems to detect security anomalies. Any time an anomaly is detected, security and relevant operational teams receive real-time alerts and follow a defined process for investigation, triage and resolution.

Change management

All changes to production environments are reviewed prior to deployment. All non-emergency changes are tested in a lab environment prior to deployment, and are scheduled for deployment to production during off-peak times to minimize disruptions. Emergency changes require approval from the VP of Product Development. A back-out plan is required for all changes as well.

Incident management

Keen has developed an Incident Response program with a documented policy and procedures which include a defined incident response team, procedures for tracking all reported incidents to resolution, a communication plan to notify impacted 3rd-parties as necessary, and documented playbooks and workflows for managing incidents.

Business continuity/disaster recovery

Keen maintains a BCP/DR plan that documents and tracks all incidents that could potentially impact our production and office environments. Specific procedures, aligned with our Risk Management guidelines, are documented to establish communication, provide continuity of service, and define the recovery process for business-critical applications and services. Disaster recovery tests are performed at minimum, annually.

People/HR security

Keen performs background checks on all candidates before extending an offer of employment. Additionally, new employees must complete security awareness training during their orientation, and annually thereafter.

Endpoint security

All Keen computing devices are centrally managed and have next-gen anti-virus and anti-malware protection enabled.

Vendor risk management

Keen has established a vendor management program to ensure all vendors and contractors are assessed prior to establishing a working relationship, to validate they have appropriate controls in place to be compliant with Keen’s security policies and requirements. Critical vendors are reviewed annually to ensure they remain compliant with Keen’s policies.

Governance, risk, and compliance (GRC)

Keen employs a Risk Management framework based upon ISO:27005 Information Technology Information security risk management. Risk assessments are performed annually, at minimum, and remediation plans are developed for any identified control deficiencies.