1. Introduction

Security is the first consideration in all Keep Aware design, development, and operations. This document outlines our security posture and data-handling practices across five domains—Corporate Governance, Providers, Data Security, Product Security, and Architecture & Data Flow—and concludes with our Data Retention Schedule for logs.

2. Corporate Governance

Keep Aware maintains comprehensive information-security policies aligned with industry best practices:

• Confidentiality Agreements: All employees and contractors sign non-disclosure agreements covering client data and sensitive information.
• Multi-Factor Authentication (MFA): MFA is mandatory for access to any system handling Customer Data.
• Security Awareness: All staff undergo mandatory, recurring security training to ensure ongoing company-wide vigilance.

3. Providers

3.1 Subprocessors

Keep Aware maintains a published list of subprocessors at keepaware.com/compliance/subprocessors. All subprocessors are contractually bound to uphold data-protection standards at least as stringent as Keep Aware’s.

4. Data Security

We employ robust controls to protect Customer Data both in transit and at rest:

• Encryption at Rest: All systems storing Customer Data use AES-256 or stronger.
• Encryption in Transit: TLS 1.2 or higher is enforced for all console, sensor, and API communications.
• Access Controls: Only designated Keep Aware personnel have access to production Customer Data.

5. Cloud Deployment Regions

5.1 Default Regions

By default, Keep Aware hosts Customer Data in the following AWS regions:

• us-west-2 (Oregon) for U.S. tenants
• eu-west-1 (Ireland) for E.U. tenants

5.2 Custom Region Requests

Upon written request, Keep Aware will evaluate and—where technically and contractually feasible—deploy Customer Data to alternative AWS regions (or equivalent cloud zones) to meet specific data residency requirements.

5.3 Region Change Process

Customer-initiated region changes require a documented request specifying:

• The desired region
• The scope of data to be migrated
• Any timing constraints

Keep Aware will confirm feasibility, migration approach, and any associated costs within fifteen (15) business days.

6. Product Security

Keep Aware products are built with secure-development best practices:

• Identity Management: Passwords are never stored outside the selected Identity Provider (e.g., AWS Cognito or a third-party IdP).
• Code Reviews & Testing: All production code undergoes peer review and automated security testing.
• Data Flow Reviews: Quarterly internal audits of architecture and data flows; summaries available upon request.
• Log Sanitization: Sensor and console logs are scrubbed of sensitive inputs and aggregated to preserve privacy.
• Rate Limiting & Alerts: Abuse detection thresholds protect console and sensor endpoints.

7. Architecture & Data Flow

• Tenant Isolation: A hybrid multi-tenant architecture ensures each customer’s data remains logically isolated, even on shared infrastructure.
• Certifications: Keep Aware is SOC 2 Type II certified with annual independent audits.
• Audit Logging: Comprehensive security logs record all console and API interactions for compliance and forensic analysis.

8. Data Retention Schedule

To balance operational needs with privacy obligations, we retain Customer logs as follows:

• Interaction, Events & Audit Logs: Retained for 30 days.
• Application and Extension Catalog, Inventory, and Site Profile Data: Retained for 365 days.
• Aggregated Metrics: Anonymized usage data (e.g., domain popularity) is stored indefinitely, without links to individual Customers.
• Optional Extended Retention: Upon request, logs may be archived beyond 30 days under a written agreement.

‍