Security and Compliance
ISO27001 Certified
At Codekeeper, nothing is more important to us than protecting your data.
In an increasingly digital world where cyber threats are pervasive, software vulnerabilities can lead to devastating consequences such as data breaches, financial losses, and reputational damage.
Learn more about how we are imposing security measures and mitigating risks through our security guides & policies.
Request access to our full security documents
By filling out the form, you will be asked to sign a non-disclosure agreement with Codekeeper.
Request one or more of the following Security Documents:
Security Assurance Report
The Security Assurance Report provides an overview of Codekeeper's Information Security Management System. Based on the ISO/IEC 27001:2022 Standard, this document provides information on how security has been weaved into our product and services design.
Information Security Policy
Our Information Security Policy is the foundational document outlining our commitment to safeguarding our own information, as well as the information entrusted to us by interested parties.
Codekeeper’s Policy Index
For in depth compliance reviews, Codekeeper's Policy Index provides a list and summary of our Information Security Policies, expanding on our Information Security Policy's principles to form our Information Security Management System.
Certified Security Standards
We are ISO27001 certified to safeguard your organization's data and infrastructure.
View Our ISO 27001 Certificate
Our Security & Compliance Features
ISO 27001 Information Security
We adhere to the one of the highest standards of information security. Through our policies and procedures, security remains our first priority.
Multi-Layered Data Center Security
We partner with data centers that adhere to the highest security standards and security policies. The safety of your deposited information is of the utmost importance to us.
End-to-End Encryption
Data is secured at all times, both in transit and at rest with AES256/512 encryption.
Secure Deposits
Whether you prefer automated integration or manual uploads, our deposit methods provide you with a secure way to deposit your source code and information.
Deposit Verification
Our multitude of verification options provides peace of mind on the quality of your deposits, both at an overview and at an in-depth level.
GDPR Compliance (Add-On)
If your deposits contain GDPR related data you will probably need a data processing agreement and related services.
HIPAA Compliance (Add-On)
If your deposits contain HIPAA related data you will probably need a data processing agreement and related services.
Information Security Guide
E-BOOK
17 pages
Download this ebook for free!
*E-book available only in English
Data Center Security
We operate compliant to ISO27001 guidelines. Our data center partners provide you with multi-leveled security and practices.
Prior to choosing a location, our data center partner performs initial environmental and geographic assessments. Data center locations are carefully selected to mitigate environmental risks, such as flooding, extreme weather, and seismic activity. Their storage sites are built to be independent and physically separated from one another.
Redundancy
Data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area. Core applications are deployed to an N+1 standard, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.
Availability
Our data center partner has identified critical system components required to maintain the availability of our system and recover service in the event of outage. Critical system components are backed up across multiple, isolated locations. Each location is engineered to operate independently with high reliability. Locations are connected to enable you to easily architect applications that automatically fail-over between locations without interruption. Highly resilient systems, and therefore service availability, is a function of the system design. Through the use of locations and data replication, our data center partner can help us achieve extremely short recovery time and recovery point objectives, as well as the highest levels of service availability.
Capacity Planning
Our data center partner continuously monitors service usage to deploy infrastructure to support our availability commitments and requirements. They maintain a capacity planning model that assesses our infrastructure usage and demands at least monthly. This model supports planning of future demands and includes considerations such as information processing, telecommunications, and audit log storage.
The Business Continuity Plan outlines measures to avoid and lessen environmental disruptions. It includes operational details about steps to take before, during, and after an event. The Business Continuity Plan is supported by testing that includes simulations of different scenarios, and lessons learned during testing is used to update the Plan for continuous improvement.
Pandemic Response
Our data center partner incorporates pandemic response policies and procedures into its disaster recovery planning to prepare to respond rapidly to infectious disease outbreak threats. Mitigation strategies include alternative staffing models to transfer critical processes to out-of-region resources, and activation of a crisis management plan to support critical business operations. Pandemic plans reference international health agencies and regulations, including points of contact for international agencies.
Our data center partner provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.
Pandemic Response
Our data center partner incorporates pandemic response policies and procedures into its disaster recovery planning to prepare to respond rapidly to infectious disease outbreak threats. Mitigation strategies include alternative staffing models to transfer critical processes to out-of-region resources, and activation of a crisis management plan to support critical business operations. Pandemic plans reference international health agencies and regulations, including points of contact for international agencies.
Access to data centers is regularly reviewed. Access is automatically revoked when an employee’s record is terminated in their HR system. In addition, when an employee or contractor’s access expires in accordance with the approved request duration, his or her access is revoked, even if he or she continues to be an employee of our data center partner.
Data Center Access Monitoring
Our data center partner monitor our data centers using our global Security Operations Centers, which are responsible for monitoring, triaging, and executing security programs. They provide 24/7 global support by managing and monitoring data center access activities, equipping local teams and other support teams to respond to security incidents by triaging, consulting, analyzing, and dispatching responses.
Physical access points to server rooms are recorded by Closed Circuit Television Camera (CCTV). Images are retained according to legal and compliance requirements.
Data Center Entry Points
Physical access is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized staff utilize multi-factor authentication mechanisms to access data centers. Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.
Intrusion Detection
Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Ingress and egress points to server rooms are secured with devices that require each individual to provide multi-factor authentication before granting entry or exit. These devices will sound alarms if the door is forced open without authentication or held open. Door alarming devices are also configured to detect instances where an individual exits or enters a data layer without providing multi-factor authentication. Alarms are immediately dispatched to our data center partner's 24/7 Security Operations Centers for immediate logging, analysis, and response.
Our data center partner's assets are centrally managed through an inventory management system that stores and tracks owner, location, status, maintenance, and descriptive information for their owned assets. Following procurement, assets are scanned and tracked, and assets undergoing maintenance are checked and monitored for ownership, status, and resolution.
Our data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day. Data centers are equipped with back-up power supply to ensure power is available to maintain operations in the event of an electrical failure for critical and essential loads in the facility.
Climate and Temperature
Data centers use mechanisms to control climate and maintain an appropriate operating temperature for servers and other hardware to prevent overheating and reduce the possibility of service outages. Personnel and systems monitor and control temperature and humidity at appropriate levels.
Fire Detection & Suppression
Data centers are equipped with automatic fire detection and suppression equipment. Fire detection systems utilize smoke detection sensors within networking, mechanical, and infrastructure spaces. These areas are also protected by suppression systems.
Leakage Detection
In order to detect the presence of water leaks, our data center partner equips data centers with functionality to detect the presence of water. If water is detected, mechanisms are in place to remove water in order to prevent any additional water damage.
Our data center partner monitors and performs preventative maintenance of electrical and mechanical equipment to maintain the continued operability of systems within data centers. Equipment maintenance procedures are carried out by qualified persons and completed according to a documented maintenance schedule.
Environment Management
Our data center partner monitors electrical and mechanical systems and equipment to enable immediate identification of issues. This is carried out by utilizing continuous audit tools and information provided through our Building Management and Electrical Monitoring Systems. Preventative maintenance is performed to maintain the continued operability of equipment.
Our data center partner performs regular threat and vulnerability reviews of data centers. Ongoing assessment and mitigation of potential vulnerabilities is performed through data center risk assessment activities. This assessment is performed in addition to the enterprise-level risk assessment process used to identify and manage risks presented to the business as a whole. This process also takes regional regulatory and environmental risks into consideration.
Third-Party Security Attestation
Our data center partner performs third-party testing of their data centers, to ensure that they have appropriately implemented security measures aligned to established rules needed to obtain security certifications. Depending on the compliance program and its requirements, external auditors may perform testing of media disposal, review security camera footage, observe entrances and hallways throughout a data center, test electronic access control devices, and examine data center equipment.
ISO 9001
Global Quality Standard
ISO 27001
Security Management Controls
ISO 27017
Cloud Specific Controls
ISO 27018
Personal Data Protection
SOC 1
Audit Controls Report
SOC 2
Security, Availability, & Confidentiality Report
SOC 3
General Controls Report
PCI DSS Level 1
Payment Card Standards
CSA
Cloud Security Alliance Controls
On Security and Compliance
Our data center partner provides us with many compliance-enhancing features that allow us to achieve a higher level of security at scale for our customers.
Infrastructure
We provide different security capabilities and services that help you increase privacy and control network access. These include:
Network firewalls and web application firewall capabilities
Encryption in transit with TLS across all services
Connectivity options that enable private, or dedicated, connections from your office or on-premises environment
Data Encryption
We utilize encryption to add an additional layer of security to your data at rest in the cloud, using scalable and efficient encryption features. They include:
Data encryption
Flexible key management
Encrypted message queues
Vulnerability Monitoring
You can use a combination of services to implement an in-depth defense strategy and thwart DDoS attacks. Our services are designed with an automatic response to DDoS, which helps minimize time it takes to mitigate and reduce impact.
Our Full Commitment
We understand the critical importance of safeguarding sensitive data, protecting our systems from cyber threats, and ensuring the privacy and trust of our customers and stakeholders. Therefore, we place security at the forefront of our priorities.
Learn more about our security policies and procedures to stay aligned with industry best practices and compliance standards.
Request access to our full security documents
By filling out the form, you will be asked to sign a non-disclosure agreement with Codekeeper.
Request one or more of the following Security Documents:
Security Assurance Report
The Security Assurance Report provides an overview of Codekeeper's Information Security Management System. Based on the ISO/IEC 27001:2022 Standard, this document provides information on how security has been weaved into our product and services design.
Information Security Policy
Our Information Security Policy is the foundational document outlining our commitment to safeguarding our own information, as well as the information entrusted to us by interested parties.
Codekeeper’s Policy Index
For in depth compliance reviews, Codekeeper's Policy Index provides a list and summary of our Information Security Policies, expanding on our Information Security Policy's principles to form our Information Security Management System.
Frequently Asked Questions
-
What is the primary focus of Codekeeper's security measures?
- To ensure the protection and confidentiality of your software's source code, as well as to safeguard any sensitive data associated with your account and software licenses.
-
How does Codekeeper protect my source code?
- Using a combination of encryption, secure storage, and access control. We encrypt your code during transit and at rest, store it in secure data centers, and implement access controls to ensure that only authorized users can access your code.
-
What type of encryption does Codekeeper use to secure my source code?
- Industry-standard encryption methods, such as SSL/TLS for data in transit and AES-256 for data at rest. These encryption methods provide a high level of security and ensure that your code remains protected from unauthorized access.
-
Where is my source code stored?
- Your source code is stored in secure data centers that are compliant with industry standards and best practices for security, such as ISO 27001, SOC 2, and GDPR. These data centers employ multiple layers of physical and digital security measures to protect your code from potential threats.
-
How does Codekeeper handle access control for my source code?
- We implement access control by allowing you to define user roles and permissions for your account. You can grant or revoke access to your source code, ensuring that only authorized users have access to your software assets.
-
Can I trust Codekeeper with my sensitive data?
- Yes, we are committed to safeguarding your sensitive data and adhering to industry best practices and regulatory standards, such as GDPR, HIPAA, and others. We employ strict security measures to protect your data from unauthorized access, loss, or alteration.
-
Does Codekeeper conduct regular security audits and updates?
- Yes, we conduct regular security audits and updates to ensure that our platform remains secure and up-to-date with the latest industry standards and best practices. We work continuously to improve our security measures and protect your software assets.
-
How does Codekeeper handle potential security breaches?
- In the unlikely event of a security breach, we have an incident response plan in place to promptly identify, contain, and resolve any potential threats. We will notify affected customers in a timely manner and work closely with them to mitigate any potential impact on their software assets.
-
Who can I contact if I have a question that hasn’t been answered here?
- We are always ready to help. Please feel free to get in touch with us by sending an email to contact@codekeeper.co.
Show more questions + Show less questions -
Haven’t found the answer you were looking for? Contact us
A session with our expert