Security & Compliance Statement
Last Updated: 8/19/2025
At Keyvo, security and compliance are at the core of our underwriting and risk-decisioning platform. We recognize that our clients — dealers, lenders, and capital market partners — depend on us to handle sensitive financial, personal, and vehicle data with the highest level of care.
Index
Data Security
Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Access Controls: Role-based permissions ensure only authorized users can access sensitive information. Multi-factor authentication (MFA) is required for administrative access.
Monitoring: Systems are continuously monitored for suspicious activity and unauthorized access attempts.
Compliance & Standards
SOC 2 / ISO Alignment: Our controls and processes are designed to align with industry best practices including SOC 2 and ISO 27001.
Data Protection Laws: Keyvo complies with applicable privacy and data protection regulations, including GDPR, CCPA, and U.S. state privacy laws.
Financial Services Regulations: The platform is structured to support compliance with relevant consumer finance and lending regulations.
Incident Response
Proactive Detection: Intrusion detection systems monitor for threats in real time.
Breach Notification: In the event of a data incident, clients will be notified within 72 hours in accordance with applicable laws and contractual obligations.
Response Plan: We maintain a documented incident response and disaster recovery plan to restore services quickly and securely.
Service Availability
Uptime Commitment: Keyvo targets 99.9% availability for core underwriting and API services.
Business Continuity: Redundant infrastructure and automated backups ensure continuity even in the event of hardware or network failure.
Disaster Recovery: Recovery Time Objective (RTO) of 24 hours and Recovery Point Objective (RPO) of 12 hours guide our restoration procedures.
Data Handling
Data Retention: Client and underwriting data is retained only as long as necessary to deliver services or meet regulatory obligations.
Third-Party Processors: Any third-party vendors we engage (e.g., payment processors, ID verification providers) are required to meet strict data protection and security standards.
Client Control: Clients retain ownership of their data and may request deletion, export, or anonymization at any time, subject to legal requirements.
Contact
For questions about security or to request compliance documentation, please contact:
[Company Legal Name]
[Company Address]
[Email Address]
