Secure by Design

Security matters, not least of all in data backup. Keepit is not a legacy backup system retrofitted to the cloud - Keepit was built from scratch to do precisely this: cloud to cloud backup.

What this means is that multitenancy was not an afterthought, it was a core design principle before we wrote the first line of code.

We are not trying to protect an aging platform from the Internet. Instead, we built our platform for the Internet.

This history does matter: Security cannot be bolted on as an afterthought.

Data Secrecy and Security

Security is many things – keeping your data from prying eyes is naturally a fundamental necessity. A significant variety of security measures are used to protect and safeguard your data.

Keepit employs encryption in transit using HTTPS secured with modern TLS when accessing your data through primary workload vendor APIs such as Microsoft Office 365, Salesforce, G Suite, and others. This security is at least as good as what is being used by your users - but as an additional physical layer of security, Keepit will typically exchange traffic directly with the workload providers over major internet exchanges, far from the prying eyes of the average Wi-Fi hotspot eavesdropper.

Once data reaches Keepit, it is encrypted before being stored on our storage systems. For this purpose, we employ AES encryption directly on our storage systems - this is the same encryption algorithm that is used throughout industry and governments to keep secret practically anything that needs to be kept secret. But as an additional physical layer, the storage media upon which your data resides is kept in a physically secure datacenter. Faulty media is destroyed, not sent back for repairs.

Data Availability

The Keepit architecture is centered around a multiple datacenter strategy for redundancy. Each one of our regions employs two regional datacenters, each data center being a complete mirror of the other.

The two datacenters operate in active-active mode, continually keeping data replicated between the centers. For this reason, any single system can fail without affecting the operation of the platform, and even a full site can fail without affecting the platform, as it has a separate, mirrored data center operating alongside it. This keeps your data reachable and available for restore even in the unlikely event of the loss of a full datacenter.

On top of this, all individual systems of course employ their own component level redundancy. Adding it all up, we keep an equivalent of two copies (or more) of your data in each of the two datacenters giving you the peace of mind that we have a total of four (or more) copies of all of your data, throughout your backup history.

Each software component of Keepit has been developed with scale and speed in mind. Below are some important points on the software stack:

  • No single point of failure in the platform - any single system can be lost without affecting the operation
  • Front-end nodes are the load-balancers; front-end nodes can be added as needed to scale
  • All internal components are simple single-purpose components
  • All internal components can be scaled vertically and horizontally
  • Any number of full platforms can be deployed for perfect isolation and scalability
  • Each geographic location has two mirrored data centers


  • Seamless scalability to millions of users
  • Storage Islands support to facilitate complete knowledge of customer data location
  • Multi-threaded processes to leverage easy scaling of each important workload. Adjustable down to tenant level
  • Intelligent backup algorithm ensures maximum throughput
  • Ability to deploy multiple independent instances of Keepit for increased scalability
  • Fully automated deployments Encryption

Ready for tomorrow

  • Not API first – API only!
  • One API – integrate once
  • All features available as API endpoints
  • Cloud Backup SDK
  • Licensing: license configuration, provisioning, and deactivation through API or Web UI

Data integrity

Keepit has been built to be tamper-proof by being an inherently immutable data store; once data is in, it cannot change. The application does not expose any APIs or other means that would allow data overwrites.

Furthermore, the blockchain-like structure allows all layers in the platform to verify that a given requested data object is unaltered from its original form. This simply adds another layer of confidence.

Data persistence

Data only leaves the platform when it falls out of the customer configured retention period.

In the event that the customer (or an attacker who successfully assumed the identity of the customer) deletes a workload from Keepit - or the entire account - data will remain untouched for a fixed retention period of your choice, but a default of at least one month.

This additional precaution protects the customer from a ransomware attack (or worse) where the attacker would first seek to destroy backups before proceeding to encrypt or destroy the primary data.

Data Center Security

Security is essential when delivering a data protection service. At Keepit, we take this seriously.

The Keepit Cloud

The Keepit cloud is owned and run by Keepit. Our systems, our people, our standards. We can therefore guarantee that the backup data we store is fully isolated from your SaaS vendors cloud, no matter if that may be Azure, AWS, G Cloud or something else. Keepit does not share infrastructure with any public cloud, period.

At Keepit, we believe this to be a fundamental requirement for any backup solution. You would not store your backups on the server you are backing up - so how could your cloud backup data reside in the same cloud you are backing up? That would not make sense, of course. Why not? In the event that your SaaS provider’s cloud is down, your data would be inaccessible. But, with Keepit, your data will still be accessible since it’s backed-up on Keepit’s private cloud. An independent, third-party: this is data protection best practice.

Data Sovereignty

To meet customer data sovereignty requirements, Keepit operates a cloud in multiple regions - currently Americas, Europe and Asia-Pacific.

Each cloud is run from datacenter locations provided by the Keepit datacenter partners Equinix and Global Connect. Each of the data center regions are completely isolated from each other.

Keepit Compliance

If you want to know more about Keepit’s data security, compliance certifications, as well as our data center partners, you can find more information here: 

Get Keepit Security Guide


Keepit meets demanding regulatory requirements. To ensure the highest operational security standards, Keepit holds the following certifications: 

  • ISO/IEC 27001:2013 certification for information security management systems. Read more about it here
  • ISAE 3402-II certification (audited by Deloitte annually)  

Read our Online Terms of Service and our Data Processing Agreement to see exactly how we can help you with your compliance needs. 

Keepit is proud to serve international customers across all industries and sectors including finance, healthcare, and government. They have all scrutinized and ultimately validated and accepted our solution. We are always here to help you meet your compliance requirements. 

Get Keepit Security Guide