Security

Security

Keva's security architecture, compliance, and data protection measures

Security is foundational to Keva. We implement enterprise-grade security controls to protect your data and meet SOC 2 Type II compliance requirements.

Overview

Keva's security program covers:

  • Data Protection - Encryption at rest and in transit
  • Access Control - RBAC with 40+ granular permissions
  • Audit Logging - Complete activity trail
  • Compliance - SOC 2 Type II readiness

Security Architecture

Infrastructure

  • Hosting: Google Cloud Platform (GCP)
  • Database: Cloud SQL with encryption
  • Application: Vercel Edge Network
  • Authentication: Clerk with MFA support

Data Protection

All sensitive data is protected:

  • At Rest: AES-256-GCM encryption
  • In Transit: TLS 1.3
  • Credentials: Encrypted with key rotation

Access Control

  • Role-based permissions
  • Principle of least privilege
  • Session management
  • IP allowlisting (Enterprise)

Security Features

Audit Log

Complete activity tracking

Encryption

AES-256-GCM data protection

Compliance

SOC 2 Type II readiness

Authentication

Clerk Integration

Keva uses Clerk for authentication:

  • Email/password with secure hashing
  • Social login (Google, GitHub)
  • Multi-factor authentication (MFA)
  • Session management

MFA Support

Enable MFA for additional security:

  1. Go to your profile settings
  2. Enable Two-Factor Authentication
  3. Scan QR code with authenticator app
  4. Enter verification code

Session Security

  • Sessions expire after 24 hours of inactivity
  • Concurrent session limits
  • Session revocation on password change

Data Handling

Customer Data

  • Stored in tenant-isolated database tables
  • Encrypted at rest
  • Regular backups with encryption
  • Data retention policies configurable

Credential Storage

Platform connector credentials are:

  • Encrypted with AES-256-GCM
  • Never logged or exposed in errors
  • Access logged in audit trail
  • Rotatable without downtime

Data Deletion

On account deletion:

  • All tenant data removed
  • Audit logs retained per compliance
  • Backups rotated within 30 days

Incident Response

Detection

  • Real-time security monitoring
  • High-risk event alerting
  • System health checks every 5 minutes
  • Anomaly detection

Response

  • Automated Slack alerts for high-risk events
  • Incident classification and triage
  • Root cause analysis
  • Customer notification procedures

Reporting

Security incidents are:

  • Logged with full context
  • Reviewed within 24 hours
  • Reported to affected customers
  • Documented for compliance

Vulnerability Management

Security Updates

  • Dependencies updated weekly
  • Security patches applied within 24 hours
  • Automated vulnerability scanning

Responsible Disclosure

Report security issues to: security@keva.support

We respond within 48 hours and provide:

  • Issue acknowledgment
  • Investigation timeline
  • Fix deployment notification
  • Credit in security advisories (optional)

Compliance

Keva maintains SOC 2 Type II compliance. See Compliance for details.

Best Practices

For Administrators

  • Enable MFA for all team members
  • Review access quarterly
  • Monitor audit logs regularly
  • Rotate API keys every 90 days

For Developers

  • Use environment variables for API keys
  • Implement least privilege in integrations
  • Monitor API rate limits
  • Handle errors without exposing secrets