Security

Compliance

Keva's SOC 2 Type II compliance program and security certifications

Keva maintains SOC 2 Type II compliance to ensure enterprise-grade security for your support operations. Our compliance program covers security, availability, and confidentiality.

SOC 2 Type II Overview

What is SOC 2?

SOC 2 (Service Organization Control 2) is a security framework developed by the AICPA. It evaluates:

  • Security - Protection against unauthorized access
  • Availability - System operational availability
  • Confidentiality - Protection of confidential information
  • Processing Integrity - System processing is complete and accurate
  • Privacy - Personal information handling

Type I vs Type II

TypeCoverageDuration
Type IControls designedPoint in time
Type IIControls operating effectively6+ months

Keva pursues Type II certification for ongoing operational evidence.

Current Compliance Status

Readiness: ~85%

Keva has implemented comprehensive security controls and is collecting evidence for formal SOC 2 Type II certification.

Completed Phases

PhaseStatusDescription
Phase 1: DocumentationCompleteSecurity policies and procedures
Phase 2: Technical ControlsCompleteInfrastructure implementation
Phase 3: Evidence CollectionIn ProgressAutomated evidence gathering
Phase 4: Formal AuditPlannedThird-party certification

Trust Services Criteria

CC1: Control Environment

ControlImplementation
Organizational structureDefined roles and responsibilities
Security policies7 documented security policies
Risk assessmentAnnual security reviews

CC2: Communication & Information

ControlImplementation
Security awarenessOnboarding and training
Incident communicationSlack alerts, email notifications
Change communicationRelease notes, status page

CC3: Risk Assessment

ControlImplementation
Risk identificationQuarterly risk assessments
Vulnerability managementWeekly dependency updates
Penetration testingAnnual third-party tests

CC5: Control Activities

ControlImplementation
Access provisioningRBAC with 40+ permissions
Change managementGit-based with code review
Logical accessClerk authentication with MFA

CC6: Logical and Physical Access

ControlImplementation
AuthenticationMFA-enabled, session management
AuthorizationRole-based access control
EncryptionAES-256-GCM for data at rest
Key managementRotation support, secure storage
Credential managementEncrypted, access-logged

CC7: System Operations

ControlImplementation
Monitoring5-minute health checks
Incident detectionReal-time alerting
Audit loggingComprehensive event tracking
Backup and recoveryAutomated daily backups

CC8: Change Management

ControlImplementation
Change approvalPR review requirements
TestingAutomated CI/CD pipeline
DeploymentZero-downtime deployments

CC9: Risk Mitigation

ControlImplementation
Business continuityMulti-region infrastructure
Vendor managementThird-party security reviews
InsuranceCyber liability coverage

Evidence Collection

Automated Evidence

Keva automatically collects:

  • Audit log archives (daily)
  • System health metrics (5-minute intervals)
  • Access review reports (quarterly)
  • Security alert logs (continuous)

Evidence Types

EvidenceFrequencyRetention
Audit logsDaily archive7 years
Health checksEvery 5 minutes90 days
Access reviewsQuarterly7 years
Incident reportsAs needed7 years

Evidence Dashboard

Access compliance evidence at Settings > Security > Compliance:

  • Compliance readiness score
  • Control status breakdown
  • Evidence generation
  • Audit report downloads

Security Policies

Documented Policies

Keva maintains these security policies:

  1. Information Security Policy - Overall security framework
  2. Access Control Policy - User provisioning and access
  3. Data Classification Policy - Data handling procedures
  4. Incident Response Policy - Security incident procedures
  5. Business Continuity Policy - Disaster recovery plans
  6. Vendor Management Policy - Third-party security
  7. Acceptable Use Policy - System usage guidelines

Policy Access

Request policy documents from your account manager or contact compliance@keva.support.

Quarterly Access Reviews

Review Process

Every quarter (January, April, July, October):

  1. System generates access report
  2. Lists all users and permissions
  3. Flags dormant accounts
  4. Requires manager review
  5. Documented for compliance

Review Actions

During access review:

  • Remove inactive users
  • Verify role assignments
  • Update permissions as needed
  • Document justifications

Security Questionnaires

Standard Responses

Keva provides pre-completed questionnaires:

  • CAIQ (Consensus Assessment Initiative)
  • SIG (Standardized Information Gathering)
  • VSA (Vendor Security Alliance)

Custom Questionnaires

For custom security questionnaires:

  1. Contact your account manager
  2. Submit questionnaire
  3. Response within 5 business days

Certifications and Reports

Available Documents

DocumentAvailability
SOC 2 Type II ReportUpon request (under NDA)
Penetration Test SummaryUpon request
Security WhitepaperPublic
Insurance CertificateUpon request

Requesting Documents

Contact compliance@keva.support with:

  • Company name
  • Document requested
  • NDA status (if applicable)

Infrastructure Security

Cloud Security

  • Provider: Google Cloud Platform
  • Certifications: SOC 2, ISO 27001, FedRAMP
  • Data residency: US regions
  • Encryption: At rest and in transit

Network Security

  • DDoS protection
  • WAF (Web Application Firewall)
  • Rate limiting
  • SSRF protection

Application Security

  • Regular security updates
  • Dependency vulnerability scanning
  • Secure coding practices
  • Code review requirements

Contact

For compliance inquiries: