Security at Keyto

Information Security Program

At Keyto, we take security seriously! We map our security program to industry standards such as ISO 27001. We are constantly looking for ways to not only improve security for our product, but also with how we conduct business on a daily basis.

Being a widely distributed team brings its own set of challenges, which is why we ensure that every employee understands the role they play in securing Keyto. We also use tools to help us enforce compliance with our internal security policies.


Keyto’s is currently in the process of completing a SOC 2 Type II audit.

Our payment processor, Stripe is a certified Level 1 Service Provider. Keyto never has access to sensitive payment details.


Internal Security Measures

Personnel Security

All employees complete background checks and are required to acknowledge the security policy and sign a confidentiality agreement.

Identity and Access Management

Employees have unique logins for all business critical systems and two-factor authentication is enforced wherever possible. We conduct regular access audits and operate on the principle of least privilege.

Hardware Security

All employee laptops are managed, have encrypted hard drives and are monitored with antivirus software.

Security Education

As part of our commitment to ensure that every member of our team understands the role they play when it comes to security, we provide ongoing security training throughout the year, including periodic phishing tests. Each new employee attends a Security training session within the first two weeks of hire to help them learn to identify threats such as social engineering and phishing.

Keyto’s Application Security

Keyto is primarily hosted on Heroku, giving us access to the benefits they provide their customers such as physical security, redundancy, scalability and key management.


Encryption is used throughout Keyto to protect PII and non-public data from unauthorized access.

All communication between Keyto users and the Keyto-provided web application is encrypted-in-transit using TLS while using the application.

All databases and database backups are encrypted at rest.

Data Retention

Customers can request their data deleted by sending an email to: [email protected] as long as it is not subject to a legal hold or investigation.

Once an account or project is deleted, all associated data (account settings, etc.) are removed from the system. This action is irreversible.

Access to Data

Customer data is limited to only those with roles that require access to perform their job duties. An example of this is our Support team.

3rd Party Sub-processors

At Keyto, we use 3rd party service providers to help with analytics, payments, sending transactional emails and for hosting our service.

All 3rd party services undergo a due diligence check to ensure your data stays secure. The data provided to these services is limited to the minimum required to perform their processing duties.

Infrastructure Availability

Our backend infrastructure is hosted on Heroku and is fully monitored to detect any downtime.

Check out our status page for more information.

Responsible Disclosure

If you believe you have discovered a vulnerability within Keyto’s application, please submit a report to us by emailing [email protected].

If you believe your account has been compromised or you are seeing suspicious activity on your account please report it to: [email protected].


If you have any additional questions regarding security please contact us at [email protected].