Security you don't have to think about
Keep-Ready holds the things you can't afford to lose — receipts, manuals, registrations, service history, photos. We treat them that way. Here's exactly how.
Encrypted by default
Every document and OAuth token encrypted at rest with AES-256-GCM, per-file data keys.
Passwordless sign-in
Face ID, Touch ID, or hardware key. Passwords still work — passkeys are stronger.
Daily backups
Backed up every day for 30 days. Test-restored regularly.
You own your data
Export everything as JSON anytime. Delete your account and we wipe it.
How we protect your sign-in
Passkeys (recommended)
Sign in with your face, fingerprint, or hardware key — no password to type, nothing to phish, nothing to leak. Passkeys are bound to your device's secure enclave and the keep-ready.com domain; even a perfect phishing site can't trick them into authenticating.
Strong passwords, by default
Every password is at least 12 characters with mixed case, numbers, and a symbol. We check it against the Have I Been Pwned database — if your password has shown up in any known data breach, we won't let you use it. We re-check periodically; if your current password ever appears in a future breach, we'll prompt you to change it.
Two-factor authentication (TOTP)
Add a 6-digit code from any authenticator app — 1Password, Bitwarden, Authy, Google Authenticator, Apple's built-in tool. Required at every sign-in once enabled.
Account lockout + timing-attack defence
Five failed sign-in attempts locks the account for 15 minutes. Login response times are constant whether the email is registered or not, so attackers can't enumerate accounts by timing.
Sessions that survive "close all apps"
When you save Keep-Ready to your home screen, the session lives in a secure, HTTP-only, encrypted cookie that persists for 90 days and slides forward every time you open the app. You stay signed in as long as you keep using it.
How we protect your data
Encryption at rest
Every document you upload is encrypted with a unique 256-bit data key using AES-256-GCM. That data key is itself encrypted with a master key stored separately from the database. A leaked database alone reveals nothing. A leaked storage bucket alone reveals nothing. Both would have to be breached at the same time, AND the attacker would have to have the master key.
Encryption in transit
Everything travels over HTTPS, with strict transport security and a per-request Content Security Policy. We don't allow inline scripts and we don't allow third-party content to embed our app.
OAuth tokens encrypted
If you sign in with Google, the tokens we store are individually encrypted before they touch the database.
Private storage
Document files are held in a private blob store. Even if someone got the raw URLs, they couldn't read them — every download is verified against your account before being served.
Visibility and control
- See every sign-in. Settings → Security shows the last 10 times your account was signed in, with location, device, and method.
- New-device alerts. Every sign-in from a new location triggers an email with a one-click "This wasn't me" button that signs you out of every active session.
- Sign out everywhere. One button invalidates every active session on every device, including this one.
- Manage your passkeys. Add, rename, or remove passkeys anytime. Each is named so you can tell which device is which.
- Full audit log. Every time someone views or downloads one of your documents — including you — it's logged.
Backups and recovery
- Backed up every night. Production data is dumped daily and stored encrypted for 30 days. We restore-test regularly so we know it actually works.
- Recovery without panic. If something goes wrong on our side, your data is recoverable to within 24 hours of the incident.
- Deletion is real. If you delete your account, we wipe your data — not "marked deleted" while we keep it for analytics. After a 30-day grace period, it's permanently gone.
Your data, your choice
- Export anytime. One click in Settings gives you a JSON dump of every asset, document, reminder, and note. No formats locked to us.
- No advertising. No selling. We don't sell or share your data with anyone. We don't run ads.
- GDPR-ready. We collect explicit consent on signup, log the timestamp, support data export on demand, and have a clear path to permanent deletion.
- Plain-English privacy policy. We tell you what we collect and why. If we change it, we tell you before it takes effect.
What we don't do
We won't pretend to be more than we are. Here's the truth about where we stand today:
- SOC 2: not certified. We follow the practices — separation of dev / staging / prod, access logging, encryption — but haven't been through a Type II audit yet.
- ISO 27001 / 27017 / 27018 / 27701: not certified. Our practices align with the spirit of each — we've documented the internal security policy, the records of processing activities, and the subprocessor list that auditors ask for — but we haven't engaged a certification body.
- Penetration testing: conducted by an independent security researcher in 2026.
- Bug bounty: not yet — if you find something, email security@keep-ready.com and we'll respond within 48 hours.
When we earn a certification, we'll publish it here. Until then, we'd rather under-claim than mislead.
More detail
- Privacy Policy — what we collect and why
- Subprocessors — every third party that processes your data
- Data Processing Addendum — for enterprise customers
- Security questions: security@keep-ready.com
