Download Keeper Data
Tiziano Savard
There are many differentiators between how Keeper protects customer information compared to our competitors. The LastPass data breaches have brought into question how the stored vault information is protected in the case of a data breach. While Keeper takes extensive security safeguards to prevent breaches, customers rightly want to understand our protections, in the event that a breach does occur. A highly detailed document describing the Keeper encryption model is available on this page. This blog post will outline the key protections that would protect users in the event of a data breach.
For enterprises looking to deploy a secure password manager to users, Keeper SSO Connect provides the highest levels of data protection in addition to seamless integration with your current identity stack. Since no master password is used, the threat vector of brute force attacks against stored data is eliminated.
For users who login with SSO or passwordless technology: The user can authenticate through their SSO identity provider and then decrypt the ciphertext of their vault locally on their device. Each device has its own EC (Elliptic Curve) public/private key pair and encrypted data key. To sign into a new device, the user must utilize existing devices to perform an approval or an administrator with the privilege can approve a new device.
The General Data Protection Act (GDPR) is the most significant piece of European data protection legislation introduced in the European Union (EU) in 20 years and replaces the 1995 Data Protection Directive. The GDPR enhances EU individual's privacy rights and places significantly enhanced obligations on organizations handling data. At Keeper Security, we are committed to making GDPR a success.
GDPR identifies two entities that may possess personal data. A data controller exercises control over the processing of personal data and decides which data to collect. A data processor acts at the direction of a data controller to collect, store, retrieve and/or delete personal data. Keeper Security is a data controller when we sell our password manager directly to consumers. We are a data processor when we sell to business, who in-turn would be considered the data controllers.
The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard. The data must be in common machine-readable format and the data controller must not interfere in the transfer of data.
The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records of data activities and enter into written agreements with vendors.
The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals. The provisions of the GDPR apply globally to any organization that processes personal data of individuals in the European Union, including tracking their online activities, regardless of whether the organization has a physical presence in the EU.
The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
Business customers may need to sign a Data Processing Agreement (DPA) with Keeper Security to assist in their GDPR compliance. Please request the DPA agreement from your Keeper Security representative or email us at business...@keepersecurity.com.
Keeper is a Zero-Knowledge security provider. The Keeper user is the only person that has full control over the encryption and decryption of their data. With Keeper, encryption and decryption occurs only on the user's device upon logging into the vault. Each individual record stored in the user's vault is encrypted with a 256-bit AES key that is randomly generated on the device. The record keys are protected by an additional key, called the Data Key. For users who login to Keeper with a master password, the Data Key is encrypted by a key derived on the device from the user's Master Password using PBKDF2 with 1,000,000 iterations. For users who login with SSO, the Data Key is encrypted by an Elliptic Curve private key. Data stored at rest on the user's device is also encrypted by another 256-bit AES key, called the Client Key. Secure record syncing between the user's devices is also encrypted at the network layer and routed through Keeper's Cloud Security Vault. This multi-tiered encryption model provides the most advanced data protection available in the industry.
As a zero knowledge platform, the information stored in our product is fully encrypted and only available to the user. We have made changes to our analytics systems to ensure anonymity for our customers and we have made changes to allow you to control your consent about how any personal data that may be collected about you may be utilized or stored.
GDPR identifies two entities that may process personal data. A data controller decides which data to collect and what processing of personal data is done. A data processor acts at the direction of a data controller to collect, store, retrieve and/or delete personal data. Keeper Security is a data controller when we sell our password manager directly to consumers. We are a data processor when we sell to business, who in turn would be considered the data controllers.
To export your data, login to the Keeper Web Vault at and click on "More >> Backup >> Export". You can download your stored information in either CSV or PDF format. If you have an expired account, please contact sup...@keepersecurity.com and our support team will assist you in accessing your vault.
Keeper operates data centers in multiple regions throughout the world with Amazon AWS. Enterprise customers may elect to establish their Keeper tenant in any supported primary region including: United States (US), United States GovCloud (US_GOV), Europe (EU), Australia (AU), Canada (CA) and Japan (JP). Customer data and access to the platform are isolated to that specific region. From each primary region, Keeper utilizes multi-zone and multi-region replication to ensure high availability. In the United States commercial region, Keeper utilizes East and West locations. In the US GovCloud data center, Keeper utilizes East and West locations. In Europe, Keeper utilizes Ireland and Frankfurt locations. In Australia, Keeper utilizes Canada as a DR region. In Canada, data is replicated within the country. In Japan, the primary region is Tokyo and replicated to Osaka. Individual consumer users who sign up through the Keeper Web Vault, desktop app or mobile apps may select the desired data center location on the account creation screen.
Keeper utilizes Amazon AWS hardened cloud infrastructure in multiple geographic locations to host and operate the Keeper Vault. Data at rest and in transit is fully isolated in a customer's preferred global data center. In other words, EU data stays in the EU. This provides customers with the fastest and safest cloud storage.
No Additional Processing: Keeper will never mine customer vault data for any purpose. First, it is a matter of policy at the highest levels of Keeper that we are committed to customer privacy. Second, because of our zero-knowledge architecture, it is technically impossible for us to do so. This follows GDPR principles of both organization and technical policies to protect personal data.
Data Control: Customers may export their data (in csv, pdf format), modify or delete their vault records at any time. This enables the GDPR requirements that personal data may be transferred or deleted as soon as the intended use is completed, consent is withdrawn or the legitimate business purpose changes. Because the data subjects are able to self-serve their Keeper vaults, the data controller is relieved of a significant burden in GDPR compliance. The data is encrypted such that only the data subject can access it, so no employees can even see it, let alone have the need to access it.
Role-based Access Control: The security concept of least privilege means that employees should only have access to the minimum amount of data that they need to do their jobs. This is most often accomplished with role-based access control (RBAC).
Keeper integrates with Microsoft Active Directory (AD) to synchronize with nodes (organizational units), teams and users. Once connected, Keeper enables role-based access control at any node. Those controls can be cascaded to all lower nodes if desired. These controls on the Keeper vaults include master password strength, rotation time, 2FA requirements, Allow IP Listing and more. Keeper locks accounts that are terminated in AD and those accounts may be transferred to trusted admins. This gives IT admins control over data accounts and assets throughout the organization.
Having all your data in one place gives you the information you need to promote better policy decisions at the local, state and national level. Make your case to funders, policy makers, supporters and opponents by letting your data do the talking. Current HomeKeeper members are discovering all sorts of better ways to communicate with decision makers. Here are just a few examples:
A review of these membership lists revealed that while there are many members of law enforcement, military, and first responders in the membership rolls, there are also elected officials, government employees, teachers, religious figures, and businessmen, among others. It's important to acknowledge that some individuals in the Oath Keepers database may have initially joined because they were sold a watered-down version of the group, and some may have disavowed the group since signing up. That said, the range of individuals represented in the Oath Keepers leak shows the extent to which this extremist ideology has gained acceptance. Even for those who claimed to have left the organization when it began to employ more aggressive tactics in 2014, it is important to remember that the Oath Keepers have espoused extremism since their founding, and this fact was not enough to deter these individuals from signing up.
df19127ead