Keeyns security principles

At Keeyns we strive to be as secure as possible for each individual customer. No exceptions and no additional premium packages required. Keeping an eye out for latest developments in security
technologies and making sure the software has the latest patches and security updates. Keeyns is completely hosted in Azure. Microsoft’s cloud platform currently consists of more than 200 services,
which integrate secure and easily together.

Each customer of Keeyns gets their own dedicated authentication tokens, credentials, encryption
certificates and Keeyns application instance. Each token expires after some time which increases security. All the services of Keeyns always require authentication tokens, no exceptions. All data is
encrypted in transit using TLS. Your documents that will be uploaded are encrypted using AES with a unique key per file and which is only accessible using an RSA certificate. This certificate is safely stored in the Key Vault of Microsoft Azure and every customer has their own. The vault will prevent anyone to extract the certificate and decrypt the data.

For user authentication, Keeyns is using a third party: Auth0. This party provides features like
OAuth2 authentication and SSO. By using this party, user passwords are not stored in the Keeyns

Services we use from Microsoft Azure

As mentioned, Keeyns is hosted in Azure. Keeyns uses the following services from Azure:

1. Key Vault
Storage and protection of encryption certificates for each client. It is impossible to retrieve the certificate from this Vault.
2. App Service
A service for hosting the web application of Keeyns. This service can be scaled-up, deployed to any country supported by Microsoft Azure. The code that is running on this service is immutable. It provides access to databases and storage locations for documents. Each customer of Keeyns will get their own instance. This will make sure that heavy usage by one customer will not affect other customers and that in-memory data remains for the intended customers.
3. Function App
The Function App is a used for running the Keeyns Tax Engine and for scheduled work. Customers share these instances of services on the platform. The services do not have access to documents or other customer data.
4. Application Insights
Application Insights is a tool that Keeyns uses for logging. Every request is logged to this service with its timings and metadata. App insights provides tools to monitor performance on services and requests and can send notification on any abnormality. Keeyns will not log sensitive data.
5. Storage account V2
Documents that are uploaded in Keeyns are stored in a service called Storage Account. This service supports large documents and encryption at rest by default. As Keeyns encrypts documents before they are sent to this storage account, it is not possible to recover documents without the decryption key and certificate from the Key Vault.No document is publicly available and requires service authentication before a document can be retrieved.
6. SQL server + database
Relational database to store customer data that is configured in Keeyns. The data includes dossiers, workflows, document metadata, discussions, and access rights for every user. Keeyns only has access to the data in this database, but not its structure. It is not possible to mutate the structure of the database. Any modification that is needed on this database structure will be performed during the upgrade of Keeyns to a newer version.
7. Cosmos DB
Non-relational database to store generated tax reports and results by the Tax Engine. It will also any modification that the user has applied. The SLA of each Azure service can be found at: https://azure.microsoft.com/nlnl/support/legal/sla/

Backup and restore

To ensure that no data is lost, Keeyns applies certain backup strategies.

  • A backup is created every day for documents. They are stored in a separate subscription in Azure with its own access policies. The documents are copied as is and are not decrypted.
  • The database will have a Point-in-time recovery enabled for 7 days. In case anything happens, the database can be restored to the second when the event occurred.
  • The data in Cosmos DB gets a backup every 12 hours. However, it is limited to two backups
    as this database can grow exponentially.
  • The source code and binaries of Keeyns is kept indefinitely. This means that any version of
    the software can be installed at any time.

Privacy questions - Keeyns

Keeyns is hosted using Azure. By default we host our services in West Europe which has a data centre in Amsterdam. Therefore we will store it in the Netherlands by default On request we can change this location to a different country.

Because of legal laws (wwft) documents are never deleted you could however remove them to the Trash bin in the portal.

We will delete the encryption keys and the blob storage container in azure to make sure all the customer data is removed.

None, but we use the four-eye principal to make sure everything related to this specific customer is deleted in Azure.


Yes, we have SSO into our own environments. If you got the rights to multiple client portals you can switch between them without logging in again. For our authentication we use Auth0 (https://auth0.com/) which implements Oauth2. 

We obtained the ISO27001 certificate – information security (the certificate is attached).

Attached our privacy statement.

We comply with ISO27001 security standards. Next to that we have a yearly external IT architect audit.

There have not.

Security questions - Keeyns

No, we don’t. In order to login clients need an email address, password and a two
factor authenticator app on their phone that is linked to their Keeyns account. The
authenticator app is required because it reduces the chances of fraud, data loss, or identity
theft. We recently disabled the push-notifications from Keeyns to the authenticator app. We
decided so after some recent news about confirmed risks regarding push notifications. You
now manually need to start your authenticator app and confirm your identity by entering a
six-digit number.

We obtained the ISO27001 certificate – information security.

See the above principals

We run the ZAP vulnerability scanner at least twice a year. Next to that we have a yearly external IT architect audit and our yearly ISO audit.


After the implementation and go-live, portal management will be handed over to the end-users. As part of the implementation process, both user and administrator training will be provided by Keeyns. Typically, only 2 individuals will have administrative rights to avoid confusion in management. Keeyns is designed to be user-friendly, requiring no IT expertise to manage the portal. However, our support team can make changes as needed.

It is worth mentioning that Keeyns will automatically update any changes to the standard processes we offer, such as the VAT return process and its associated deadlines, in the event of a legal amendment.

Every user is granted an individual account on Keeyns for two reasons:

1) We place high significance on maintaining an accurate audit trail, which requires a record
of who performed what action and when. This cannot be achieved with a shared account.

2) Furthermore, from a security standpoint, it is designed to ensure the safety of the platform. Each user has their own account, secured by a unique password and a two-factor authenticator linked to their mobile device to verify the user's identity during login attempts, preventing unauthorized access.

Please note that the number of users does not affect our pricing structure/your quote.

Keeyns is hosted on Microsoft Azure. All data is stored within the EU; the Netherlands and Ireland.

During the implementation of Keeyns we work closely with our customer to get everything set up as desired. Usually, one employee of the customer will be added and promoted to admin by us. This admin then has rights to create other users and promote them to admin if necessary.

This is covered by the general terms and conditions that the customer signs upon purchasing Keeyns

We have system logging which is stored on Azure and can
only be accessed by Keeyns employees with specific rights. This logging does not contain
sensitive information and is only used to analyze the operation of the platform.
We also keep track of our customers' history of changes in Keeyns. This data is stored on
our database on Azure which can only be accessed by Keeyns employees with specific
rights. In the application, this data can be viewed by our customers' users (only those with
sufficient rights) in the audit trail of dossiers. This is a useful feature that allows our
customers to easily look up who performed which actions on a dossier.

Keeyns has several integrations:
1. Auth0: this service will take care of all authentication flows. This integration cannot be
2. Zoho Office: this service allows online editing of documents. There is an option to enable
or disable this integration.
3. SendGrid: this service will send emails on behalf of Keeyns. Emails are composed in our
services and only the email is transferred to this service. This integration cannot be disabled.

Keeyns does not have any privileged utility programs. We run a backup tool to ensure backups of documents but that runs without any user interaction in Azure. It has just enough privileges to perform this task. who performed which actions on a dossier.

No, all source code is safely stored in Microsoft Azure DevOps. Keeyns is not a tool to manage and collaborate on any source code.


Fill in your details or contact our sales team