Description of the security of the services

  1. This Security Overview is incorporated into, and forms part of the Keybe Terms of Service, as set out in terms and conditions, which the Client has accepted, or a signed master sales Agreement, or other similar written agreement between Keybe and the Client which we call: “Contract.” In this Security Description of Keybe Services, (Security Description), references to “Keybe” will collectively refer to KEYBE INC., 2915 Biscayne Blvd. Suite 300 Miami, FL 33137, and its Affiliates. The terms “Customer” shall refer to you, the Customer and your Affiliates.
  2. Objective. Keybe is committed to maintaining the customer’s trust. The purpose of this Security Description is to describe the security program for the Keybe Services (“Services”). This Security Description describes the minimum security standards that Keybe maintains to protect Customer Data (as defined in the Agreement) from unauthorized use, access, disclosure, theft or manipulation. In addition to this Security Description, the security documentation for the Keybe API. As security threats change and evolve, Keybe continues to update its security program and strategy to help protect Customer Data. Keybe reserves the right to update this Security Description from time to time; always, however, any update will not materially reduce the general protections set forth in this Security Description. Any capitalized term not defined in this Security Description will have the meaning given in the Privacy Agreement
  3. Covered Services. This Security Description describes the architecture, administrative, technical, and physical controls, and third-party security audit certifications that are applicable to the Services. The Beta Offerings and any services provided by telecommunications providers involved in routing, providers of various services and the connection of Customer communications are not covered by this Security Description.
  4. Organization and security program. Keybe maintains a risk-based security assessment program. The framework for Keybe’s security program includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of customer data. Keybe’s security program is intended to be appropriate to the nature of the Services provided, the size, and complexity of Keybe’s business operations. Keybe has a team dedicated to managing the security program. This team facilitates and supports independent third party audits and evaluations. Keybe’s security framework is based on the ISO 27001 Information Security Management System, which is currently in the certification process, and includes programs that cover: Policies and Procedures, Asset Management, Access Management, Cryptography , Physical Security, Operations Security, Communications Security, Business Continuity Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Security of Third Parties, Vulnerability Management, as well as Security Supervision and Incident Response. Security is represented at the highest levels of the company, with Keybe’s Head of Trust and Safety meeting with the Board of Directors on an ongoing basis to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least once a year and are made available to all Keybe employees for consultation.
    1. Confidentiality. Keybe has controls to maintain the confidentiality of the Client Data that the Client makes available to the Services, in accordance with the Agreement. All Keybe employees and contracted personnel are bound by internal policies and by a signed contract in relation to maintaining the confidentiality of customer data and are contractually bound to these obligations. In turn, Keybe conducts independent investigations of the behaviors and procedures of Keybe’s employees and suppliers.
  5. Security of people.
    1. Background verification of employees. Keybe conducts background checks on individuals who join Keybe in accordance with applicable local laws. Keybe currently verifies the individual’s education and previous employment, and also conducts referral checks. When permitted by local labor law or statutory regulations, and depending on the role or position of the prospective employee, Keybe may also carry out criminal, credit, immigration and security checks.
    2. Training of employees. At least once a year, all Keybe employees must complete the security and privacy training that covers security policies, best security practices, and privacy principles. Licensed employees may have additional time to complete this annual training. Keybe’s dedicated security team also conducts phishing awareness campaigns and communicates emerging threats to employees. Keybe has also established an anonymous hotline for employees to report any unethical behavior where anonymous reporting is legally permitted.
  6. Management of third-party providers
    1. Evaluation of suppliers. Keybe may use third party providers to provide Services. Keybe conducts a security risk-based assessment of prospective vendors prior to working with them to validate that prospective vendors meet security requirements. Keybe periodically reviews each provider in light of Keybe’s business continuity and security standards, including the type of access and classification of the data accessed, the controls necessary to protect the data, and legal/regulatory requirements. Keybe ensures that customer data is returned and/or deleted at the end of the relationship with the provider. To avoid doubt, telecommunications providers are not considered subcontractors of Keybe.
    2. Agreements with suppliers. Keybe enters into written agreements with all its suppliers, that include confidentiality, privacy and security obligations that provide an adequate level of protection for the personal data contained in customer data that these suppliers may process. Keybe conducts ongoing research and evaluations of its providers’ practices at least once a year.
  7. Architecture and data segregation. The cloud communication platform for Keybe Services is hosted on Google Cloud Platform (“GCP”). The current location of the GCP data center infrastructure used to provide the Keybe Services is in the United States. More information about the security provided by GCP can be obtained on the security web page available at https://cloud.google.com/security. Keybe’s production environment within GCP, where customer data and customer-facing applications are located, is a logically isolated virtual private cloud (VPC).
  8. Infrastructure security design. Keybe is based on and uses the GCP security design. You can view the information at https://cloud.google.com/security/infrastructure/design
  9. Access controls.
    1. Access Provisioning. To minimize the risk of data exposure, Keybe follows the principles of least privilege through a team-based access control model when provisioning access to the system. Keybe personnel is authorized to access customer data based on their job function, role and responsibilities, and such access requires the approval of the director of the area to which the employee belongs. Access rights to production environments are reviewed at least semi-annually. An employee’s access to Customer Data is quickly removed upon termination of employment. In order to access the production environment, an authorized user must have a unique username and password, multi-factor authentication, and be connected to the Keybe virtual private network (VPN). Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal training for such access, including training on the corresponding equipment systems. Keybe records high-risk actions and changes in the production environment. Keybe leverages automation to identify any deviations from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.
      1. Password Controls. Keybe’s current policy for managing employee passwords follows the NIST 800-63B, guide, and as such, our policy is to use longer passwords, with multi-factor authentication, but not requiring special characters or frequent changes. When a customer logs into their Keybe account, Keybe hashes the user’s credentials before storing them. A customer can also require their users to add another layer of security to their account by using two-factor authentication (2FA).
      2. Change Management. Keybe has a formal change management process to manage changes to software, applications, and system software that will be deployed to the production environment. Change requests are documented using a formal and auditable system of record. Before a high-risk change is made, an assessment is performed to consider the impact and risk of a requested change, change recognition testing, approval of the deployment to production by the appropriate approvers, and procedures for reversion. Changes are reviewed and tested before going into production.
  10. Secure Socket Layer. Keybe uses SSL (Secure Socket Layer) which is the standard security technology to establish an encrypted link between Keybe’s web servers and a browser. This secure link ensures that all transferred data is private. Also called TLS (Transport Layer Security). You can find the complete information at: https://www.cloudflare.com/ssl/
  11. Web Application Firewall (WAF). Every request to the WAF is inspected with the rules engine and threat intelligence curated from the protection of approximately 25 million websites. Suspicious requests can be blocked, questioned or logged based on Keybe’s needs, while legitimate requests are directed to the destination regardless of whether they are on premises or in the cloud. Complete information on the service can be found at: https://www.cloudflare.com/waf/
  12. Vulnerability management. Keybe maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and business/operational requirements. Keybe uses a third-party classified tool to conduct regular vulnerability scans to assess vulnerabilities in Keybe’s cloud infrastructure and corporate systems. Critical software patches are proactively evaluated, tested, and applied. For Keybe services, operating system patches are applied through the rebuild of a base virtual machine image and are deployed to all nodes in the cluster according to a predefined schedule. For high-risk patches, Keybe will deploy directly to existing nodes through internally developed orchestration tools.
  13. Penetration testing. Keybe performs penetration testing and contracts with independent third-party entities to carry out penetration testing at the application level. Penetration test results are quickly prioritized, trialed, and remediated by Keybe’s security team.
    1. Security incident management. Keybe maintains security incident management policies and procedures in accordance with NIST SP 800-61.Keybe’s Security Incident Response Team assesses the threat of all relevant vulnerabilities or security incidents and establishes remediation and mitigation actions for all events. Keybe keeps security records for 360 days. Access to these security logs is limited to senior management only. Keybe uses third-party tools and services to detect, mitigate, and help prevent distributed denial of service (DDoS) attacks.
  14. Discovery, investigation and notification of a security incident. Upon discovery or notification of any security incident, Keybe:
    1. Will promptly investigate said Security Incident.
    2. To the extent permitted by applicable law, will promptly notify the Client. The Client will receive a notification by email associated with the Keybe account.
    3. Will take the necessary measures and corrective measures to resolve the incident as soon as possible.
  15. Resilience and continuity of service. Keybe’s infrastructure uses a variety of tools and mechanisms to achieve high availability and resilience. The infrastructure spans multiple fault-independent GCP Availability Zones in physically separated geographic regions. For Keybe services, there are manual or automatic capabilities to redirect and regenerate hosts within the Keybe infrastructure. The infrastructure is able to detect and route problems experienced by hosts or even entire data centers in real time and employ orchestration tools that have the ability to regenerate hosts, building them from the latest backup. Keybe uses specialized tools that monitor server performance, data, and traffic load capacity within each Availability Zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an Availability Zone or colocation data center, then these specialized tools will increase capacity or shift traffic to alleviate any suboptimal server performance or capacity overload. Keybe has notifications of different levels that work immediately and has the ability to take immediate action to correct the causes behind these problems if specialized tools cannot.
  16. Backup and recovery. Keybe regularly backs up account information, logs, recordings, chats, documents, and other critical data using GCP’s cloud storage. Backup data is preserved redundantly across Availability Zones and is encrypted in transit and at rest using Advanced Encryption Standard (AES-256) 256-bit server-side encryption.