Security Portal

Codekeeper Trust Center

codekeeper.co

Founded 2014

privacy@codekeeper.co

Updates

Oct 27, 2025

How Codekeeper Made Software Verification More Affordable

For years, software verification was a luxury; something only enterprises with massive compliance budgets could justify.

Jul 11, 2025

The Codekeeper Advantage

In the last few years, our world has grown more dependent on software.

Jul 11, 2025

Codekeeper V5 Is Here: The Modern Solution for Software Resilience

Every business runs on software.

View all updates

Compliance and Certifications

ISO 27001

ISO 27018

ISO 27017

ISO 9001

SOC 1

SOC 2

SOC 3

PCI DSS Level 1

CSA

Overview

Welcome to the Codekeeper Trust Center

Codekeeper specializes in software resilience. We offer ISO 27001 certified software escrow services that protect systems and ensure business continuity. For over a decade, we've preserved the source code, data, and dependencies that power critical business operations, healthcare systems, financial services, and essential infrastructure.

What We Do

Codekeeper acts as a neutral and trusted third party between software vendors and their clients. We store source code deposits in resilient digital vaults, perform verification testing, and provide access to escrowed materials only when specific release conditions are triggered. Our automated platform handles daily deposit synchronization, maintains version histories, and generates audit trails for all activities.

Our Security Foundation

We protect your source code with the same vigilance we demand for our own systems. Security isn't something we add — it's how we're built. Every deposit is guarded with AES-256/512 encryption, multi-factor authentication, and 24/7 monitoring across redundant data centers.

Reviewed and Trusted By

Controls

Product and Data Security

End-to-end encryption

Integrations

Multi-factor authentication

Audit logging

Network and Infrastructure Security

Hosting

Data centers

Anti-DDoS

Network perimeter security

Organizational Security

Team member training

Incident response readiness

Business continuity and disaster recovery plan

Dedicated information security team

HR security

Access Controls

Principle of least privilege

Deposit access restrictions

Release condition verification

Risk Management

Regular risk assessments

Security monitoring

Risk treatment

Legal

Data Processing Agreement

Data Privacy and Compliance

Data privacy overview

Data retention procedures

Product and Data Security

End-to-end encryption

Your data is protected at all times, both in transit and at rest, with AES256/512 encryption.

Integrations

Our platform provides secure API integrations that enable automated deposit synchronization while maintaining strict security standards.

Multi-factor authentication

All accounts are protected with multi-factor authentication.

Audit logging

All system activities, deposit operations, and access attempts are recorded and retained as long as required by law and necessary to provide our services.

Organizational Security

Team member training

All employees complete annual security awareness training with role-specific modules.

Incident response readiness

We maintain documented response procedures with immediate incident handling — issues are addressed as soon as they're identified, typically within 24 hours. We also have defined escalation paths and conduct regular preparedness drills.

Business continuity and disaster recovery plan

Our tested recovery procedures ensure service availability during disruptions, with clearly defined recovery objectives.

Dedicated information security team

Our specialized security team oversees security operations, policy implementation, and continuous improvement of our security posture.

HR security

All employees undergo background verification, extensive competency testing, and sign confidentiality agreements, with access immediately revoked upon termination.

Quick Summary

ISO 27001:2022 certified

SOC 2 aligned operations

Operates in line with GDPR

Has a formal mobile device management (MDM) program

Annual independent internal and third-party audits

Continuous vulnerability testing with regular review cycles

Quarterly and annual internal compliance reviews

Quarterly access reviews

Has incident response, business continuity, and disaster recovery plans — tested at planned intervals

Has cyber insurance

Will enter into a DPA

Has a privacy policy

Has extensive internal information security policies & procedures

Security awareness training during onboarding and annually thereafter

Has a vendor management program with vendor security and compliance reviews

Deletes customer data on request

Documents

All

Public

Private

FAQs

Search across Codekeeper’s FAQs

Popular Questions

What type of encryption does Codekeeper use to secure my source code?

Codekeeper employs AES-256/512 encryption with managed key rotation for stored deposits, while all transmissions use SSL/TLS protocols.

Can I trust Codekeeper with my sensitive data?

How does Codekeeper handle potential security breaches?

Codekeeper maintains a practiced incident response protocol with defined escalation triggers and notification timelines that meet GDPR's 72-hour requirement. Our response team conducts annual tests with documented communication responsibilities to ensure affected parties are contacted immediately. We carry cyber liability insurance and perform post-mortem reviews and root cause analyses on every incident — even false positives — to strengthen our defenses. In the unlikely event of a security breach, we will notify affected customers promptly and work closely with them to mitigate any potential impact on their software assets.

How is access to sensitive information restricted and controlled?

Access to sensitive information is strictly controlled on a need-to-know, least-privilege basis. All access is reviewed regularly to ensure it remains appropriate.

Does Codekeeper have an incident response plan, or a similar strategy, to manage security incidents and guarantee information safety?

Yes. Our plan has a clear process for reporting and managing security events. The plan includes reporting, impact assessment, containment, eradication, and root cause analysis to prevent recurrence, with open communication maintained throughout to keep all relevant parties informed, and is tested every year.

What training and awareness activities does Codekeeper provide for employees regarding incident detection and response?

Incident detection and response are covered as part of our regular security awareness training. Team members are trained on how to recognize and report events, understand their role in prevention, and follow the defined process for incident management.

How does Codekeeper ensure ongoing legal and regulatory compliance?

Codekeeper ensures ongoing legal and regulatory compliance through documented processes that track our obligations and keep them up to date. Our legal team monitors applicable laws and requirements, and these are reviewed regularly to confirm compliance. In addition, our ISO 27001 audits provide independent verification that our controls and practices meet the standards we are required to follow.

General Security

What is the primary focus of Codekeeper's security measures?

Codekeeper's mission is to ensure your source code never becomes a single point of failure. We protect deposits as a neutral third party, maintaining strict independence while guaranteeing code accessibility when release conditions are met — whether that's vendor bankruptcy, support failures, or other triggering events.

How does Codekeeper protect my source code?

What type of encryption does Codekeeper use to secure my source code?

Codekeeper employs AES-256/512 encryption with managed key rotation for stored deposits, while all transmissions use SSL/TLS protocols.

Where is my source code stored?

Source code deposits are distributed across geographically separated data centers, each maintaining independent power, cooling, and network systems. These facilities hold multiple security certifications, including ISO 27001 and SOC 2, and undergo annual compliance audits.

How does Codekeeper handle access control for my source code?

Codekeeper operates on a zero-trust model where deposit access requires multi-party verification. Release events trigger our validation protocol — legal review, condition verification, and beneficiary authentication — before any materials become accessible. Even our own engineers cannot bypass these controls.

How often are security measures reviewed?

Beyond our annual BSI certification audit, Codekeeper conducts quarterly internal assessments, continuous vulnerability scans, and real-time threat monitoring.

Can I trust Codekeeper with my sensitive data?

Does Codekeeper test deposited source code?

Yes, Codekeeper offers optional verification services to validate that deposits are complete, buildable, and match specifications. We test in isolated environments and provide detailed reports without retaining any compiled code or test outputs.

Does Codekeeper conduct regular security audits and updates?

Yes, we conduct regular security audits and updates to ensure that our platform remains secure and up-to-date with the latest industry standards and best practices.

How quickly can beneficiaries access code when conditions are met?

Once release conditions are verified, beneficiaries typically receive access within two to three hours.

How does Codekeeper handle potential security breaches?

Who can I contact if I have a question that hasn't been answered here?

For security, compliance, or general inquiries, please reach out to our team via contact@codekeeper.co.

Organizational Information and Policies

Does Codekeeper operate in any high-risk and other monitored jurisdictions?

No, we do not operate in any high-risk or otherwise monitored jurisdictions.

Does Codekeeper have a dedicated Information Security team?

Yes, we have a dedicated Information Security team that oversees and manages our Information Security Management System (ISMS). They ensure our practices are compliant with ISO 27001, aligned with frameworks such as SOC 2, and follow industry best practices, so our customers can trust that security is always a priority.

Does Codekeeper have security and privacy programs and policies?

Yes, we have a comprehensive set of information security policies and procedures in place. These are documented within our Information Security Management System (ISMS). An overview is available in our ISMS summary, which we’re happy to share upon request.

How often are Codekeeper's security policies reviewed and updated?

Our security policies are formally reviewed at least once every two years. In practice, we update them more frequently, often ahead of audits, trainings, or when improvements are identified. This ensures our policies stay current and continuously aligned with both best practices and evolving requirements.

Asset Management

What is Codekeeper's process for inventorying and tracking assets?

We follow a formal asset management process that defines our assets, assigns responsibilities, and sets out how they’re managed and tracked. All assets are recorded in our internal asset register, which we keep up to date to ensure accuracy and accountability.

What measures are in place to prevent unauthorized copying or transfer of sensitive data?

We have a strict access management process that ensures access is only granted on a need-to-know, risk-based basis. Access rights are reviewed at planned intervals to confirm they remain appropriate, and access to customer data is highly restricted. In addition, all activity is logged and monitored, and data is encrypted in transit and at rest.

How does Codekeeper ensure assets, such as devices, software, and networks stay secure?

We have topic-specific policies for all Codekeeper assets. Our Asset Management process works hand in hand with our Access Management and Device Management processes to make sure all access is monitored, all devices are managed in accordance with best practices, and software remains up to date to ensure vulnerabilities are treated promptly.

Human Resource Security

What security training does Codekeeper provide to employees?

Codekeeper provides annual security awareness training to all team members, which covers our information security policies and procedures, as well as team member roles and responsibilities when it comes to upholding the requirements set forth in these documents.

Does Codekeeper run background checks on contractors and employees?

Yes, Codekeeper uses a formal screening process, which includes evaluation education, professional experience, and background checks.

Does Codekeeper have employees sign confidentiality or non-disclosure agreements as part of the onboarding process?

Yes, all team members sign our service agreements before onboarding, which include Codekeeper’s confidentiality and non-disclosure requirements.

How does Codekeeper handle security risks when employee responsibilities change or contracts end?

When any team member's need-to-know requirements change (whether that is from changes in responsibilities to the end of a collaboration), access to any affected assets is updated or revoked as necessary to make sure information stays secure and restricted to those that need it.

Physical and Environmental Security

Does Codekeeper manage its own data center and servers?

No, we don’t operate our own datacenters. Instead, we rely on leading third-party providers that meet the highest industry standards. All vendors are vetted and continuously monitored through our vendor management process, and they maintain internationally recognized security certifications to ensure data is protected at all times.

Mobile and Remote Working Security

Does Codekeeper allow remote working?

Yes. We have specific controls in place to make sure that when team members do work remotely, information security is not compromised.

Communications and Operations Management

What anti-malware solutions are in place, and how are they managed?

Our topic-specific Anti-Malware policy outlines how Codekeeper manages malware risks on each front. In practice, each vulnerable endpoint is protected by software that ensures real-time defense and automatic updates to avoid any vulnerabilities being exploited by malware.

What backup procedures does Codekeeper have in place?

We run continuous, automated backups of our databases, which are stored in encrypted form. Restorable versions are available at any time within the retention period, and recovery can be performed to any point in time if needed. Backup integrity and restoration are regularly tested as part of our Disaster Recovery Plan, ensuring that data can be recovered quickly and reliably.

What is Codekeeper's approach to change management?

Our change processes ensure all changes are planned, reviewed, and approved before implementation. Organizational changes are reviewed with Executive Management to make sure they are properly assessed and aligned with business and security requirements. Development changes follow our Release Management process, where updates are reviewed, tested in staging, and only then deployed to production with CTO oversight. Emergency changes follow a defined fast-track process that allows them to be applied quickly while still maintaining security, control, and accountability.

What are Codekeeper's Logging and Monitoring practices?

Our systems automatically generate logs for key activities, including user actions, administrative changes, and all events involving customer-deposited materials. These logs capture key details required for quick analysis of actions taken. These logs are monitored and reviewed regularly, and anomalies are investigated. Logged information are treated with strict, need-to-know access controls in line with our access management processes.

Access Control

How is access to sensitive information restricted and controlled?

Access to sensitive information is strictly controlled on a need-to-know, least-privilege basis. All access is reviewed regularly to ensure it remains appropriate.

How does Codekeeper ensure that user access rights are appropriate for their roles and responsibilities?

We ensure access rights match roles and responsibilities through a strict, management-approved access framework. Access is systematically allocated during onboarding on a need-to-know, risk-based basis, and any additional access requests go through a formal review and approval process. Regular reviews are conducted to confirm access remains appropriate over time.

Are there procedures for handling user password management and authentication tokens?

Yes, we have formal password management procesess in place. All team members are required to use a secure, supported password manager and create strong, unique passwords. Multi-factor authentication is applied wherever possible, and processes are in place for secure login and password changes as required.

Are there specific guidelines or policies for using personal devices for work purposes (BYOD)?

Yes, Codekeeper supports Bring Your Own Device (BYOD) under a formal policy with strict controls.

Information Systems Acquisition, Development, and Maintenance

Describe Codekeeper's software development lifecycle.

Codekeeper follows a secure software development lifecycle (SDLC) to ensure quality and security at every stage. Development is carried out with approved, secure tools, and access to source code is strictly controlled. Vulnerability scanning and security reviews are built into the process, and development, testing, and production environments are kept separate to reduce risk. Real-world threats are considered from planning through to deployment, ensuring our platform remains secure and reliable.

What testing processes are in place for new systems and applications?

New developments go through a defined testing process before release. This includes code reviews, vulnerability scanning, and quality assurance (QA) testing in a staging environment to validate functionality and security. Only once testing is complete and approved are changes deployed to production.

Describe the update and patching mechanisms for software.

Software is kept up to date through a structured patch management process. Patches are classified by urgency and impact, reviewed and approved before deployment, and applied in a controlled manner. Critical or high-risk vulnerabilities are addressed immediately through an emergency patching process to ensure quick mitigation.

Information Security Incident Management

Does Codekeeper have an incident response plan, or a similar strategy, to manage security incidents and guarantee information safety?

Describe how customers will be informed of personal data and data security breaches affecting their data processed by Codekeeper and its subcontractors, and within what timeframe.

In the event of a security breach affecting customer data, we follow defined processes to ensure customers are informed without undue delay about the nature of the incident and the steps being taken to address it, in line with legal and contractual requirements.

Describe the process for reviewing and updating Codekeeper's incident response plan after an incident occurs.

After an incident is resolved, we conduct a post-incident review to assess how the response was handled and identify any areas for improvement. Lessons learned are documented, and the Incident Response Plan is updated as needed.

What training and awareness activities does Codekeeper provide for employees regarding incident detection and response?

Does Codekeeper have a dedicated team or resources for handling security incidents?

Yes, we have a dedicated Incident Response Team.

Business Continuity Management

Does Codekeeper have Business Continuity and Disaster Recovery Plans in place to ensure data security and operational resilience during disruptions?

Yes, Codekeeper has Business Continuity and Disaster Recovery Plans in place, which are tested every year.

Describe Codekeeper's process for managing communications with stakeholders during a disruption.

During a disruption, we follow defined communication procedures to ensure interested parties are informed without undue delay. Affected parties are kept updated on the disruption. Communication continues throughout the process so parties remain fully informed.

Does Codekeeper have a process for restoring service in the event of catastrophic failure?

Yes, Codekeeper's Disaster Recovery Plan covers restoring services from secure backups to a defined point in time if a catastrophic failure occurs. Recovery is carried out as quickly as possible, in line with contractual and legal requirements. Our goal is always to minimize disruption and restore availability promptly while ensuring data integrity and security.

Compliance

How does Codekeeper ensure ongoing legal and regulatory compliance?

How does Codekeeper manage and monitor internal compliance with policies and regulations?

We manage internal compliance through scheduled security awareness training and compliance reviews throughout the year. These reviews confirm that team members are following our policies and procedures in line with our security requirements.

Vendor Management

If Codekeeper makes use of third-party vendors who will access customer information, list their details, roles and under which circumstances customer information will be shared with them.

We only share customer information with third-party vendors where it is strictly necessary to deliver our services, and always on a need-to-know basis. These vendors and the circumstances under which information may be shared are documented in our Privacy Policy. All vendors are vetted and required to meet our security and confidentiality standards before being engaged.

Describe Codekeeper's process for monitoring and reviewing vendor security practices.

Codekeeper follows a structured vendor management process to ensure third parties continue to meet our security requirements. This includes reviewing their security practices, terms, and any significant changes to their services, as well as carrying out regular performance evaluations. This way, we confirm vendors remain aligned with our standards over time.

What steps does Codekeeper take if a vendor fails to meet specific security requirements?

We follow a structured, escalated process. If a vendor falls short of our security requirements, we document the issue, perform a risk assessment, and request a corrective action plan with clear timelines. Access may be limited and compensating controls applied while remediation is underway, with oversight from Executive Management. If the vendor cannot remediate or there is significant non-compliance, we initiate secure offboarding and migration to an alternative provider, ensuring data return/deletion and service continuity.

Describe the process for handling data breaches or security incidents involving vendors.

Vendor-related data breaches or security incidents are handled through the same structured process as internal incidents. Events are reported, assessed, and, if necessary, escalated under our Incident Response Plan. While the vendor is responsible for containing and remediating the issue on their side, we coordinate closely with them and communicate without undue delay to any affected customers if their data is impacted. Depending on the severity, this may also trigger a risk assessment and a review of the vendor’s continued suitability.

How does Codekeeper manage the termination or change of vendors from a security perspective?

Codekeeper follows a secure offboarding process when a vendor is terminated. This includes revoking access and ensuring data is either securely returned or permanently deleted in line with our requirements. To maintain continuity, vendor changes are planned and controlled as possible so that a replacement is in place before termination. New vendors go through a secure onboarding process to confirm they meet our security and compliance standards before engagement.

What measures are in place to ensure the security of data shared with vendors?

Codekeeper ensures the security of data shared with vendors by requiring them to meet our security standards and by carefully assessing their controls against our requirements. Vendors are only given access to the data strictly needed to deliver their services, and this access is continuously monitored and reviewed. Ongoing vendor reviews confirm that their practices remain aligned with our expectations and that data stays protected at all times.

Describe Codekeeper's approach to managing risks associated with outsourcing to vendors.

We manage outsourcing risk through a formal, risk-based vendor process. Before onboarding, we screen each vendor to confirm suitability. Risks are mitigated by limiting access to least-privilege, minimizing the data shared, using secure onboarding, and embedding security and confidentiality obligations in our contracts. Vendors are monitored; if standards aren’t met, we apply corrective actions or transition to an alternative provider via a secure offboarding process.

How does Codekeeper ensure continuity of service in case of critical vendor failure or issues?

Continuity in the event of a critical vendor failure is addressed in our Business Continuity Plan. The plan outlines processes to minimize disruption, including measures to maintain service availability. This ensures we can continue to deliver our services even if a key vendor experiences issues.

Risk Management

Does Codekeeper have a Risk Identification and Management Process, or a similar strategy, to identify and assess information security risks?

Yes, we have a formal Risk Assessment and Treatment process to identify, evaluate, and address information security risks. We treat risks based on their likelihood and impact.

How does Codekeeper integrate risk management into overall business strategy and decision-making?

Risk management is built into our overall business strategy and decision-making. Risks are considered when evaluating new initiatives, vendors, and operational changes, and management reviews ensure that business objectives are balanced with security and compliance requirements.

How are risks associated with third-party vendors or service providers managed?

We manage vendor risks through a formal vendor management process similar to our information security risk assessments. Before onboarding, vendors are assessed for suitability based on factors such as their security measures, track record, and overall reliability. Risks are evaluated for impact and likelihood, and additional assessments are carried out if a vendor experiences an incident or undergoes significant changes.

Describe Codekeeper's process for responding to identified risks that exceed acceptable thresholds.

When a risk exceeds our acceptable threshold, we decide whether to mitigate it with controls, apply new controls, or avoid it altogether. The risk is then reassessed to confirm it has been reduced to an acceptable level.

Encryption and Data Protection

Does Codekeeper employ encryption, or data masking, to protect data (at rest and in transit)?

Yes, we use strong encryption to protect data both at rest and in transit. Data at rest is encrypted using AES-256, while data in transit is protected with secure protocols such as TLS and HTTPS. In addition, we apply multiple controls to prevent unintended exposure of confidential information, including strict access management, optional multi-factor authentication, and secure password storage using hashing and encryption with a trusted provider.

Describe Codekeeper's data retention and destruction policy.

We retain data only for as long as necessary to provide our services and to meet legal or regulatory requirements. When data is no longer needed, it is securely deleted or destroyed in line with our Data Retention and Disposal Policy, ensuring it cannot be recovered or accessed after removal.

Describe Codekeeper's policy and the conditions for returning sensitive data and destroying the data once the service is terminated.

Active customer data is retained for the duration of the service unless deletion is requested as outlined under Codekeeper's Privacy Policy. On termination, customer data is returned or deleted in line with contractual agreements. When deletion is required, it is securely removed from active systems and backups to ensure it cannot be recovered.

Can Codekeeper commit to keeping customer information for a strict minimum amount of time after customer stops use?

Yes.

Does Codekeeper retain customer information in backups after a customer has deleted (or requested deletion of) the data?

No, when deletion is required, it is securely removed from active systems and backups to ensure it cannot be recovered.

How does Codekeeper ensure the secure transfer of data to and from your organization?

We ensure secure data transfer through strict controls that define which channels may be used, what information can be shared, and under what circumstances. Transfers are protected with encryption, and where appropriate, additional safeguards such as confidentiality agreements (NDAs) are applied.

What procedures are in place for managing encryption keys?

Codekeeper follows a formal process for managing encryption keys. This covers their secure creation, storage, distribution, use, backup, and eventual archiving or destruction. Access to keys is strictly controlled and limited to authorized personnel only, ensuring they remain protected throughout their lifecycle.

Describe Codekeeper's policies for key generation, distribution, storage, rotation, and destruction.

Our key management process ensures that encryption keys are generated using strong, unique values and meet AES-256 standards. Keys are stored and managed using secure, industry-standard key management services, never distributed manually, and access is strictly limited to authorized personnel. Keys follow a defined lifecycle that includes secure rotation, archival, and destruction to ensure ongoing protection.

Network Security

What cloud infrastructure does Codekeeper use?

Codekeeper operates in a secure cloud environment following industry best practices for network segregation, confidentiality, and redundancy. More information about our network environment can be provided through our Security Assurance Report upon request.

Describe Codekeeper's network perimeter security controls (e.g., firewalls, IDS/IPS).

Our network perimeter is protected through firewalls, restricted private networking, and secure gateways that only allow authorized, encrypted traffic. Administrative access is tightly controlled, and monitoring is in place to detect and respond to potential threats. More information about our network environment can be provided through our Security Assurance Report upon request.

How does Codekeeper monitor for and respond to network security threats?

We monitor our platform and infrastructure through real-time logging to detect suspicious activity or errors. Logs capture user actions, system events, and service activity, and are regularly reviewed. Any anomalies are investigated, documented, and, if necessary, escalated through our Incident Response Plan. Identified issues are resolved promptly, and lessons learned are fed back into our processes to strengthen future security.

Vulnerability Management and Threat Detection

Does Codekeeper perform regular vulnerability scans on its systems and applications?

Yes, we perform continuous vulnerability scanning on our systems and applications to ensure potential issues are identified and addressed promptly.

What processes are in place for remediating vulnerabilities identified during scans or assessments?

Vulnerabilities identified through scans or assessments are remediated based on risk, with high-priority issues addressed first.

Does Codekeeper conduct penetration testing, and if so, how frequently?

We do not currently conduct penetration testing. Instead, we maintain ongoing protection through continuous vulnerability scanning, monitoring, and logging.

Let's build bulletproof software resilience together.

Book a demo