Keeper is a Zero-Knowledge Platform Committed to GDPR Compliance

Key points regarding Keeper's GDPR compliance

What is GDPR?

The General Data Protection Act (GDPR) is the most significant piece of European data protection legislation introduced in the European Union (EU) in 20 years and replaces the 1995 Data Protection Directive. The GDPR enhances EU individual's privacy rights and places significantly enhanced obligations on organisations handling data. At Keeper Security, we are committed to making GDPR a success.

The GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. The concept of “personal data” is broadly defined and covers any information relating to an identified or identifiable individual, defined by GDPR as a “data subject”. For most companies, this includes employees and customers.

GDPR identifies two entities that may possess personal data. A data controller exercises control over the processing of personal data and decides which data to collect. A data processor acts at the direction of a data controller to collect, store, retrieve and/or delete personal data. Keeper Security is a data controller when we sell our password manager directly to consumers. We are a data processor when we sell to business, who in-turn would be considered the data controllers.

Our Commitment

Keeper is GDPR compliant and we are committed to ensuring our business processes and products continue to maintain compliance for our customers in the European Union.

The Keeper web client, Android App, Windows Phone App, iPhone/iPad App and browser extensions have been certified by the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. Keeper is SOC 2 Type 2 compliant in accordance with the AICPA Service Organisation Control framework. Keeper is also ISO27001 certified.

Expanded Rights For Individuals

The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard. The data must be in common machine-readable format and the data controller must not interfere in the transfer of data.

Compliance Obligations

The GDPR requires organisations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records of data activities and enter into written agreements with vendors.

Increased Enforcement

Under the GDPR, authorities can fine organisations up to either €20 million or 4% of a company’s annual global revenue (whichever is higher), based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organisations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.

New Requirements for Profiling and Monitoring

The GDPR places additional obligations on organisations engaged in profiling or monitoring behavior of EU individuals. The provisions of the GDPR apply globally to any organisation that processes personal data of individuals in the European Union, including tracking their online activities, regardless of whether the organisation has a physical presence in the EU.

Data Breach Notification and Security

The GDPR requires organisations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organisations.

Keeper's Data Processing Agreement (DPA)

Business customers may need to sign a Data Processing Agreement (DPA) with Keeper Security to assist in their GDPR compliance. Please request the DPA agreement from your Keeper Security representative or email us at business.support@keepersecurity.com.

Download the Data Processing Agreement (DPA)

Frequently asked questions

What is Keeper Security doing about GDPR?

We worked with TrustArc, a global leader in privacy compliance, to identify the changes in our business processes, privacy practices and products necessary to ensure that we are compliant with the GDPR.

As a zero-knowledge security company, GDPR is closely aligned with the core products and services that we provide. Compliance with international law and protecting the privacy of our customers is very important to us.

What is zero knowledge?

Keeper is a Zero-Knowledge security provider. The Keeper user is the only person that has full control over the encryption and decryption of their data. With Keeper, encryption and decryption occurs only on the user's device upon logging into the vault. Each individual record stored in the user's vault is encrypted with a 256-bit AES key that is randomly generated on the device. The record keys are protected by an additional key, called the Data Key. For users who login to Keeper with a master password, the Data Key is encrypted by a key derived on the device from the user's Master Password using PBKDF2 with 1,000,000 iterations. For users who login with SSO, the Data Key is encrypted by an Elliptic Curve private key. Data stored at rest on the user's device is also encrypted by another 256-bit AES key, called the Client Key. Secure record syncing between the user's devices is also encrypted at the network layer and routed through Keeper's Cloud Security Vault. This multi-tiered encryption model provides the most advanced data protection available in the industry.

What changes did Keeper Security implement to maintain GDPR compliance?

As a zero knowledge platform, the information stored in our product is fully encrypted and only available to the user. We have made changes to our analytics systems to ensure anonymity for our customers and we have made changes to allow you to control your consent about how any personal data that may be collected about you may be utilised or stored.

Is Keeper a data processor or data controller?

GDPR identifies two entities that may process personal data. A data controller decides which data to collect and what processing of personal data is done. A data processor acts at the direction of a data controller to collect, store, retrieve and/or delete personal data. Keeper Security is a data controller when we sell our password manager directly to consumers. We are a data processor when we sell to business, who in turn would be considered the data controllers.

How do I export my personal data?

To export your data, login to the Keeper Web Vault at https://keepersecurity.com/vault and click on "More >> Backup >> Export". You can download your stored information in either CSV or PDF format. If you have an expired account, please contact exportme@keepersecurity.com and our support team will assist you in accessing your vault.

How do I request my data to be deleted?

Please email deleteme@keepersecurity.com and provide the email address associated with your Keeper account.

Where is my data stored?

Keeper operates data centers in multiple regions throughout the world with Amazon AWS. Enterprise customers may elect to establish their Keeper tenant in any supported primary region including: United States (US), United States GovCloud (US_GOV), Europe (EU), Australia (AU), Canada (CA) and Japan (JP). Customer data and access to the platform are isolated to that specific region. From each primary region, Keeper utilizes multi-zone and multi-region replication to ensure high availability. In the United States commercial region, Keeper utilizes East and West locations. In the US GovCloud data center, Keeper utilizes East and West locations. In Europe, Keeper utilizes Ireland and Frankfurt locations. In Australia, Keeper utilizes Canada as a DR region. In Canada, data is replicated within the country. In Japan, the primary region is Tokyo and replicated to Osaka. Individual consumer users who sign up through the Keeper Web Vault, desktop app or mobile apps may select the desired data center location on the account creation screen.

How do I transfer my data from the US data center to EU data center?

Please contact exportme@keepersecurity.com for instructions and assistance in this data transfer.

How does Keeper Security help with our GDPR Compliance?

Zero-knowledge Architecture and Security: Keeper’s password manager is built from the ground-up on the idea that the individual user is the only person that can access their data. This is in perfect alignment with GDPR principles and data protection requirements. All encryption is done on the individual’s device(s). The data is encrypted in transit with Transport Layer Security (TLS) and stored in AES-256 encrypted ciphertext. By separating the data and encryption keys, no Keeper employee is ever able to access customer vault data. As per Article 34, if Keeper vault data were ever breached, the ciphertext would be worthless to the attackers and therefore no notification would be required.

In addition to regular security reviews and tests, Keeper is SOC 2 Type 2 certified and ISO27001 certified annually.

Keeper utilises Amazon AWS hardened cloud infrastructure in multiple geographic locations to host and operate the Keeper Vault. Data at rest and in transit is fully isolated in a customer's preferred global data center. In other words, EU data stays in the EU. This provides customers with the fastest and safest cloud storage.

No Additional Processing: Keeper will never mine customer vault data for any purpose. First, it is a matter of policy at the highest levels of Keeper that we are committed to customer privacy. Second, because of our zero-knowledge architecture, it is technically impossible for us to do so. This follows GDPR principles of both organisation and technical policies to protect personal data.

Data Control: Customers may export their data (in csv, pdf format), modify or delete their vault records at any time. This enables the GDPR requirements that personal data may be transferred or deleted as soon as the intended use is completed, consent is withdrawn or the legitimate business purpose changes. Because the data subjects are able to self-serve their Keeper vaults, the data controller is relieved of a significant burden in GDPR compliance. The data is encrypted such that only the data subject can access it, so no employees can even see it, let alone have the need to access it.

Role-based Access Control: The security concept of least privilege means that employees should only have access to the minimum amount of data that they need to do their jobs. This is most often accomplished with role-based access control (RBAC).

Keeper integrates with Microsoft Active Directory (AD) to synchronize with nodes (organisational units), teams and users. Once connected, Keeper enables role-based access control at any node. Those controls can be cascaded to all lower nodes if desired. These controls on the Keeper vaults include master password strength, rotation time, 2FA requirements, IP whitelisting and more. Keeper locks accounts that are terminated in AD and those accounts may be transferred to trusted admins. This gives IT admins control over data accounts and assets throughout the organisation.

Admin Insight and Auditing: Keeper Enterprise provides insight into employee password strength, reuse and use of second-factor authentication. Keeper provides audit logs complete with timestamps and filters to enable rapid searches for anomalies, bad behavior, forensics or compliance reporting.

English (UK) Call Us