Keygen = Security

Our team has built state-of-the-art security into our product suite, so that you can rest easy knowing your data is safe with us.

Security questionnaire

As a software licensing and distribution service, we recognize the importance of excellent security practices for such critical infrastructure. While we are a small team, we take security very seriously.

General Security Practices

  • Access to servers, source code, and third-party tools are secured with non-SMS two-factor authentication.

  • We use strong, randomly-generated passwords that are never re-used.

  • We have strong 2FA policies for all Keygen personel:

    • All Keygen personel are required to use non-SMS 2FA on all first- and third-party services. When non-SMS 2FA is unavailable, we require use of SMS 2FA. We always require strong passwords, regardless of 2FA availablility.

    • We allow you to do the same by supporting TOTP 2FA for all Dashboard admin users, as well as offering 2FA to your product users.

  • We have no employees, and contractors we hire are given the lowest level of access that allows them to get their work done.

  • We provide cryptographic signatures of all API requests, and we provide the ability to sign and encrypt license keys, and support nonces on certain requests, all to help combat common licensing attack vectors such as man-in-the-middle and replay attacks.

  • We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are aggressive about applying patches, keeping dependencies up-to-date, and deploying quickly.

  • We regularly perform external vulnerability scans and application penetration tests to monitor the status of our security efforts.

  • We have near-100% integration test coverage on our API code base. Each time a bug or vulnerability is reported, we write a test (or ten) to ensure it never comes up again.

  • We never copy production data to external devices (like personal devices).

Infrastructure

  • Our infrastructure provides DDoS mitigation techniques including TCP Syn cookies and connection rate limiting in addition to maintaining multiple backbone connections and scaleable internal bandwidth capacity.

  • Our servers are hosted by Heroku as well as directly by Amazon Web Services (AWS). Heroku also uses AWS for their infrastructure, so all of our servers are hosted on AWS, some managed by Heroku, some not. AWS is the largest and (in our opinion) most sophisticated hosting company in the world, and they have extensive physical and digital security in place.

  • Our main servers are in Virginia, USA at Amazon's US-East data center. We also keep encrypted backups of data in other locations within the USA in case anything happens to the Virginia data center.

Authentication

  • At sign-up, each admin sets up a new profile with their email and password. Passwords are securely hashed using industry-standard bcrypt, and all secrets are securely encrypted in-transit and at-rest. We never store passwords or secrets as plain text.

  • API access tokens are securely hashed using a SHA-256 HMAC function, using a strong per-account secret key. We never store API access tokens as plain text.

Encryption

  • All communication between the Keygen service, your software products, and our backend service is encrypted with TLS. We use Automated Certificate Management provided by Let’s Encrypt. User data is stored in Heroku PostgreSQL and details of their implementation can be found on the Security page at Heroku.

  • We use 256-bit encryption at all levels of our systems. We enforce TLS (HTTPS) to protect sensitive data transmitted to and from applications i.e. data in-transit.

  • All data is encrypted at-rest with industry-standard AES-256 block-level storage encryption. Keys are securely managed by Amazon EBS.

Payments

  • Credit card and bank information is encrypted, stored, and processed by Stripe with AES-256 encryption. Full details are on the Security page at Stripe. Keygen stores an transient token provided by Stripe to reference a customer's credit card through the Stripe API. Credit cards are not stored on Keygen servers, nor do we have access to the card number or details. This information does not pass through Keygen servers. All communication with Stripe is handled over an encrypted TLS connection.

Crashes and other errors

  • We are agressive about monitoring for application errors and crashes, and resolving them as quickly as possible. We strive to provide 99.99% uptime, and do offer an SLA for enterprise customers.

FAQs

What user data do you collect?

We're not in the business of making money off of data. However, we do collect information about how who is interacting with the system so we can monitor and improve the product, and provide faster, more effective support when issues arise. These events include API requests, sign-ins, sign-outs, etc.

More information on the type of data we collect can be found in our privacy policy.

How long is data retained and can I have it removed?

Server and application logs are retained for a maximum of 30 days, after which they are permanently deleted. Application analytics will be permanently deleted on request.

Do you maintain any security certifications such as SOC2 or ISO27001?

While we'd eventually love to achieve these certifications, we don't hold them at this time.

Will you fill out our security questionnaire?

Due to our small team size, we do not have the bandwidth to fill out security questionnaires for every customer. Please email us at [email protected] if you do not see one of your specific questions answered on this page and we can add it.

For customers on our enterprise tier, we will make exception.

How do I report a potential vulnerability or security concern?

Please email us at [email protected], which will notify us very loudly, and we'll get back to you ASAP. Our PGP key is available here.