What is the purpose of Akeyless's Information Security Policy?

The purpose of Akeyless's Information Security Policy is to ensure that the company's information resources are protected from destruction, alteration, or unauthorized access. The policy is designed to align with business workflow requirements, implement industry best security practices, and provide guidance on expected threats. It also supports compliance with current and future laws and regulations, and defines Akeyless's obligations regarding privacy and protection of private information, especially personally identifiable information (PII). (Source: Original Webpage)

How does Akeyless protect customer data?

Akeyless ensures customer data protection by encrypting all stored data and making it accessible only to customer users. Each customer is provisioned with a unique ID, and all application processes are based on that ID to prevent cross-customer data events. Data is encrypted both in transit and at rest using Akeyless DFC technology and standard encryption methods. (Source: Original Webpage)

What are Akeyless's information security goals?

Akeyless's information security goals include maintaining confidentiality, integrity, and availability of information; protecting company and customer data from unauthorized and malicious activity; enabling business strategy while maintaining proper security and privacy guidance; serving as the basis for security policies and controls; and enhancing security awareness among personnel and suppliers. (Source: Original Webpage)

How does Akeyless classify and handle sensitive information?

Akeyless classifies sensitive information into three levels: Confidential, Internal, and Public. Confidential information includes internal data with limited access, PII, and customer confidential information, and must be kept in restricted access folders or systems. Internal information includes internal communications and finance data, stored in internal systems. Public information is approved for public release and can be stored on any medium. All documents are considered internal confidential unless designated otherwise. (Source: Original Webpage)

What security and compliance certifications does Akeyless hold?

Akeyless holds several industry-recognized certifications, including ISO 27001 (valid through 2025), FIPS 140-2, CSA STAR, PCI DSS, and SOC 2 Type II. These certifications demonstrate Akeyless's commitment to strict IT security standards, cryptographic validation, and regulatory compliance for industries such as finance, healthcare, and critical infrastructure. For more details, visit the Akeyless Trust Center. (Source: Knowledge Base)

How does Akeyless ensure data encryption and protection?

Akeyless uses patented encryption technologies to secure data both in transit and at rest. Data at rest is encrypted using Akeyless DFC technology and standard encryption methods, while data in transit is protected to prevent unauthorized access. These measures ensure that sensitive information remains secure and compliant with international standards. (Source: Knowledge Base, Original Webpage)

What is Akeyless's approach to patch and vulnerability management?

Akeyless remediates identified vulnerabilities according to strict timelines: Critical vulnerabilities are addressed within one week, High within one month, Medium within three months, and Low according to best effort and availability. Vulnerabilities may be identified during penetration tests, bug bounty programs, or by independent researchers. (Source: Original Webpage)

What are the key features and capabilities of Akeyless?

Akeyless offers Universal Identity (solving the Secret Zero Problem), Zero Trust Access (Just-in-Time access and granular permissions), automated credential rotation, vaultless architecture (reducing infrastructure complexity), centralized secrets management, out-of-the-box integrations (AWS IAM, Azure AD, Jenkins, Kubernetes), and a cloud-native SaaS platform with pay-as-you-go pricing. These features enhance security, operational efficiency, and scalability. (Source: Knowledge Base)

Does Akeyless provide an API for integration?

Yes, Akeyless provides an API for its platform, supporting secure interactions for both human and machine identities. API documentation and details on API Keys for authentication are available at Akeyless API Documentation. (Source: Knowledge Base)

What technical documentation is available for Akeyless?

Akeyless offers comprehensive technical documentation, including platform overviews, password management, Kubernetes secrets management, AWS integration, PKI-as-a-Service, and more. These resources provide step-by-step instructions for effective implementation and usage. Access documentation at Akeyless Technical Documentation. (Source: Knowledge Base)

How long does it take to implement Akeyless, and how easy is it to get started?

Akeyless can be deployed in just a few days due to its SaaS-native architecture, requiring no infrastructure management. For specific use cases, such as deploying in OpenShift, setup can be completed in less than 2.5 minutes. Getting started is simple, with self-guided product tours, platform demos, tutorials, and 24/7 support available. (Source: Knowledge Base)

What feedback have customers shared about the ease of use of Akeyless?

Customers have praised Akeyless for its user-friendly design and seamless integration. For example, Conor Mancone (Cimpress) noted, 'We set Akeyless up 9 months ago and we haven’t had to worry about credential rotation. It’s been a really smooth, really easy process.' Shai Ganny (Wix) highlighted the simplicity and operational confidence gained. Adam Hanson (Constant Contact) emphasized the scalability and enterprise-class nature of the platform. (Sources: Cimpress Case Study, Wix Testimonial, Constant Contact Case Study)

What customer service and support options are available after purchasing Akeyless?

Akeyless provides 24/7 customer support via ticket submission (Support Ticket Page) and email (support@akeyless.io). Proactive assistance is offered for upgrades and troubleshooting, and customers can access a Slack support channel for direct guidance. Technical documentation and tutorials are available at Akeyless Resources. For escalation, contact support_escalation@akeyless.io. (Source: Knowledge Base)

What training and technical support resources are available to help customers adopt Akeyless?

Akeyless offers a self-guided product tour, platform demos, step-by-step tutorials, and comprehensive technical documentation. 24/7 support and a Slack channel are available for troubleshooting and guidance. These resources ensure customers can quickly and effectively implement Akeyless solutions. (Source: Knowledge Base)

Who can benefit from using Akeyless?

Akeyless is designed for IT security professionals, DevOps engineers, compliance officers, and platform engineers across industries such as technology, finance, retail, manufacturing, and cloud infrastructure. Notable customers include Wix, Dropbox, Constant Contact, Cimpress, and Progress Chef. (Source: Knowledge Base, About Us)

What business impact can customers expect from using Akeyless?

Customers can expect enhanced security (Zero Trust Access, automated credential rotation), operational efficiency (centralized secrets management, Just-in-Time access), cost savings (up to 70% reduction in maintenance and provisioning time), scalability (multi-cloud and hybrid support), compliance (ISO 27001, SOC, FIPS 140-2), and improved employee productivity. (Source: Knowledge Base)

Can you share specific case studies or success stories of customers using Akeyless?

Yes, Akeyless has several case studies and success stories: Constant Contact scaled in a multi-cloud, multi-team environment (Case Study), Cimpress transitioned from Hashi Vault to Akeyless for enhanced security (Success Story), Progress saved 70% of maintenance and provisioning time (Case Study), and Wix benefited from centralized secrets management and Zero Trust Access (Video). (Source: Knowledge Base)

What core problems does Akeyless solve?

Akeyless addresses the Secret Zero Problem (secure authentication without storing initial access credentials), legacy secrets management challenges (inefficiencies and vulnerabilities), secrets sprawl (scattered secrets across environments), standing privileges and access risks (excessive permissions), cost and maintenance overheads, and integration challenges. (Source: Knowledge Base)

How does Akeyless compare to HashiCorp Vault?

Akeyless offers a vaultless architecture, eliminating the need for heavy infrastructure and reducing costs and complexity. Its SaaS-based deployment provides scalability and flexibility for hybrid and multi-cloud environments, and advanced security features like Universal Identity and Zero Trust Access. HashiCorp Vault is self-hosted and requires more operational overhead. Learn more at Akeyless vs HashiCorp Vault. (Source: Knowledge Base)

How does Akeyless compare to AWS Secrets Manager?

Akeyless supports hybrid and multi-cloud environments, offers out-of-the-box integrations with tools like Jenkins and Kubernetes, and provides cost efficiency with pay-as-you-go pricing. AWS Secrets Manager is limited to AWS environments. Akeyless also offers advanced features like Universal Identity and Zero Trust Access. Learn more at Akeyless vs AWS Secrets Manager. (Source: Knowledge Base)

How does Akeyless compare to CyberArk Conjur?

Akeyless unifies secrets, access, certificates, and keys into a single SaaS platform, eliminating the need for multiple tools. It offers Zero Trust Access and vaultless architecture, simplifying infrastructure and reducing costs. CyberArk Conjur focuses on privileged access management and secrets management for enterprise security. Learn more at Akeyless vs CyberArk. (Source: Knowledge Base)

When was this page last updated?

This page wast last updated on 12/12/2025 .

Information Security Policy

Purpose, Overview, and Applicability
1. The purpose of this policy is as follows:
  1. Ensure that the company’s information resources are appropriately protected from destruction, alteration, or unauthorized access.
  2. Ensure that this protection is accomplished in a manner consistent with the business and workflow requirements of the company.
  3. Ensure that the industry’s best security practices are implemented in order to reduce vulnerabilities, increase safety, and provide guidance to the company on the expected threats.
  4. Provide a concise set of standards in order to attain consistency across the entire information infrastructure about securing systems and networks.
  5. Provide an information security management system that supports compliance with present and future applicable laws and regulations.
  6. Define Akeyless’ obligation in regard to privacy, private information and especially PII.

Definitions
1. Information Security – All technological and organizational means used to mitigate risk pertaining to the confidentiality, integrity, and availability of information stored in IT systems.
2. CISO – The person responsible for the overall information security program to ensure the adequate protection of the company’s information assets and technology.
3. Identification – Means to identify a person or system while attempting access and authorizing processes in an IT system.
4. Sensitive Information – Data defined as sensitive by the company’s management.
5. User – A unique and identifiable entity within a system that represents a person or a service.
6. Password – A string of characters known only to the user, used for identification confirmation of the user and typed as part of the user identification process while logging on.
7. Information Security Management System (ISMS) – A long term framework that aims to enhance information security throughout the organization (Part of ISO27001 framework).

Board and Management Commitment
1. Consistent with their responsibility for proper management of the company, the company’s management and board of directors are committed to maintaining a high level of information security.
2. The company’s management is obliged to provide adequate resources to maintain an appropriate level of information security in the company and to budget for an annual work plan.
3. The company’s management has defined the ISMS as a cornerstone of its security and technological viewpoint.
Information Security Goals
The company’s information security goals are as follows:
1. Allow the company to maintain the confidentiality, integrity, and availability of information.
2. Protect the company’s and customers’ information from unauthorized and malicious activity by effectively and efficiently implementing an information security management system.
3. Enable the company’s business strategy and maintain services for customers in a manner consistent with the proper application of security and privacy guidance and risk management.
4. Serve as the basis for information security policies, procedures and controls.
5. Provide guidance on how to locate and manage risks and exposures of information stored in the system, including prints, scans, tapes, or other hard copies.
6. Define tools and processes required to actively enhance the security awareness of the company’s personnel and suppliers.

Information Security Business Principles
The company’s information security business principles are as follows:
1. Create a security culture through information security governance.
2. Assess risks through understanding, evaluating, and testing.
3. Enforce the information security policy through technological processes (where applicable) education, monitoring, and metrics.
4. Adhere to applicable regulatory requirements that include international and local laws and regulations.

Organization of Information Security
1. The company’s organizational chart is in Appendix A.
2. The organization of information security is led by the CISO that was appointed by Akeyless’ management. CISO’s responsibilities are as follows:
  - Presenting information security topics to the management.
  - Providing the board of directors with an annual information security review.
  - Leading the Steering Committee.
  - Implementing the information security policy and procedures and providing guidance on implementation to relevant personnel.
  - Initiating and implementing an annual work plan.
  - Performing audits on information security implementation in the Company.
  - Investigating and handling information security events and breaches.
  - Conducting information security awareness training.
  - Defining and developing and integrating processes and tools related to information security.
  - Defining information security levels of the IS and its components in compliance with decisions of the Steering Committee.
  - Handling responses to security incidents and malfunctions.
  - Specifying processes and methods about the levels of sensitivity and information classification to which third parties may be exposed.
3. Information security technical means are implemented by either DevOps or IT.
4. Akeyless runs an Information security steering committee with the following charter
  1. The information security steering committee (the “Steering Committee”) is the highest body dictating the information security strategy and approving information security plans.
  2. The members of the Steering Committee are:
    - President
    - CEO
    - CTO
    - VP R&D
    - CISO
  3. The Information Security Steering Committee meets at least once in 3 months

Security of Human Resources
Aspects of information security are implemented by the company in all the procedures and stages of recruitment and employment of employees, as specified hereunder:
1. Prior to employment:
  1. It is the responsibility of the company to ensure that each employee of the company and third-party employee (contractor’s employee) is suitable for the employee’s intended position, and that the employee fully understands the responsibilities imposed on him or her, in order to prevent events of failure, fraud, or abuse of information and assets of either the company or its customers.
  2. The management of the company shall define with respect to each of the roles in the company:
    - The necessary qualifications
    - Responsibility and authority
    - Requirements of reliability
    - Access rights to information systems
  3. Employee reliability will be determined through a process of multiple interviews and gathering of recommendations. Employees of third-party providers engaged in delivering services to the company will be interviewed, and two references will be obtained and checked.
  4. Each employee, at any hierarchic level whatsoever, shall sign a confidentiality agreement, whereby the employee will maintain the rules of information security and privacy, as a condition of working with the company.
  5. Prior to commencement of work with the company, a new employee will undergo a security and privacy training, in order to become familiarized with the company and its policies, including but not limited to information security.
2. Within the process of employment:
  1. The CISO is responsible for the holding of periodic training for all the employees at least annually, in order to increase their awareness of the following issues:
    - Information security policy.
    - Familiarization with possible risks and threats to the company and to the information.
    - Proper and ethical utilization of assets of the company.
    - Manner of protection against possible failures.
    - Manner of conduct upon occurrence of an exceptional event.
    - Proper and correct use of protections and controls.
    - Rules of usage of information systems of the company.
3. Completion of employment or change of positions:
  1. The HR manager is responsible for ensuring that employees, contractual employees or third-party users of the information systems will leave the organization or change positions in an orderly and safe manner.
  2. If an employee changes position in the company, access authorizations and controls given to the employee in the employee’s previous position should be examined to determine whether it is suitable to continue them. As a default, the authorizations of the previous position shall be revoked, and new authorizations suitable for the new position will be given to the employee.
  3. If an employee leaves the company, for any reason, the HR manager should verify that:
    - All possibilities of the employee accessing information, supporting systems and assets from the company or outside of it were blocked.
    - The employee returned all the assets and equipment that belong to the company (computer equipment, documents, etc.).
    - The employee received guidance with respect to ongoing commitment to the information of the company and its protection.
  4. Training and awareness
    1. Every employee will attend annual information security awareness training.
    2. Every new employee must attend an information security awareness training within one month of commencing employment at the company.
    3. On completion of the information security awareness training, each employee must sign a statement confirming that they have attended the training, understood the material presented, and had an opportunity to ask questions.
4. Privacy
  Human resources information is private by its nature and must be secured accordingly:
  1. Employees and candidates’ information must be stored in a dedicated HR application or restricted folders.
  2. Private information must never be shared via email or any other unsecure communication methods.

Asset management and Risk Assessment Approach
1. A periodic risk assessment is the basis for an ongoing information security activity. The assessment is applied to both the technological and non-technological aspects of information security.
2. Risk assessment shall include identifying assets and the risks related to them, internal and external audits, penetration tests, system configuration reviews, and shall represent risks based on the potential risk and occurrence likelihood. The assessments and surveys shall be performed in accordance with business requirements and professional advice.
3. The risk assessment shall aid with building the work plan that aims to minimize organizational and technological risks, as well as plan specific IT activities.
Access control
Access control management is detailed in 05 Akeyless User Access Rights Procedure.

Cryptographic controls
Cryptographic controls are detailed in 15 Akeyless – Encryption and Key Management Policy

Physical Security
1. Access security to company offices
  1. The entrance to company premises shall be secured and monitored at all times (during work hours and thereafter).
  2. The entrance doors to the offices shall be closed and locked at all times
  3. Upon completion of the workday, the offices of the company shall be locked and the alarm of the security company shall be activated
  4. Security in work areas
  5. Employees of the company work at different locations, at home or at public places. In public places employees should make sure to have their laptops with them at all times, including when getting up from their seats.
  6. If a situation arises that requires an employee to leave a laptop unattended, that computer should be locked using a password protected screensaver.
  7. When going on vacation, employees shall turn off their computers or put them into hibernate mode (as this forces encryption sequence).
Clear Desk and Screen
1. Non-electronic information and equipment
  1. Where practically possible, paper should be stored in suitable forms of secure furniture when not in use, especially outside working hours.
  2. At the end of each session all sensitive information should be removed from the workplace and stored in a locked area. This includes all personable information, as well as business critical information such as salaries and contracts.
  3. All staff are responsible for ensuring that any hard copy documents which could be classed as company intellectual property are shredded if they are no longer required and do not legally need to be retained.
  4. Hard copies containing PII (i.e. candidates resumes) must be shredded when they are no longer needed.
  5. Hard copies of sensitive information or that contain PII must be kept in a locked drawer or cabinet when not in use.
  6. Confidential, sensitive or classified information, or PII when printed, should be cleared from printers immediately.
2. Electronic or computerized information and equipment
  1. Electronic data and equipment will not be treated differently from manual records and equipment, as they contain the same type of confidential and personal information. Computing and all other equipment containing data will therefore be treated with the same level of security as paper-based resources.
  2. Computers and laptops must not be left logged on when unattended, and must be protected by passwords, screensavers and other controls. The options available will be dependent upon the type of equipment. Any concerns should be raised with the IS Manager.
  3. Screens must be locked by the user when leaving their computer terminal, irrespective of the amount of time spent away from the unattended screen. All computers should have an auto-lock after 15 minutes of non-use.
  4. Sensitive items such as personal identifiers must be cleared from printers and fax machines immediately on completion. If these are no longer required, the items must be shredded or sent for secure disposal.
Change Management
All change management aspects are covered in 11 Akeyless – Change Management and Segregation of Duties

Communication Security
All aspects of communication security are detailed in 15 Akeyless – Encryption and Key Management Policy.

Secure development
Secure development is detailed in the “04 Akeyless Secure Development Policy”

Vendor Security
All aspects of vendor security are covered in 12 Akeyless – Vendor Security Management Policy.

Incident Response Plan
All security incidents aspects are detailed in 03 Akeyless Information security incident response and breach policy.

Business Continuity Plan
All aspects of business continuity are detail in 11 Business Continuity Plan

Data Classification
1. Sensitive information must be identified as such and treated securely according to its level of sensitivity. Akeyless has determined the following sensitivity levels:
  - Confidential
  - Internal
  - Public
2. Confidential refers to information that its exposure may result in severe damage to Akeyless business including financial loss, damage to reputation and non-compliance with the law and regulations. For example:
  - Akeyless Internal information with limited access
  - Personal Identifiable Information
  - Customer confidential information
  - Confidential information must be kept in restricted access folders or systems, or in locked cabinets.
3. Internal information refers to information that its exposure may result in some damage to Akeyless. For example:
  - Akeyless internal communication
  - Akeyless finance information (unless defined differently)
  - Internal information must be kept in internal systems either maintained or used by Akeyless
4. Public information refers to information that its exposure will not have any effect on Akeyless, such as Information that has been approved to be released to the public. Public information may be kept on any mean of storage
5. As part of the general purpose of ensuring the security of documents, all documents created within the company are defined as internal confidential information, unless specifically designated otherwise.

Compliance
Identified relevant laws and regulations are detailed in 01 Akeyless IS Policy Statement.

Customer Data Protection
1. Customer data is only accessible by customer users. All stored data is kept encrypted.
2. Each customer is provisioned with a unique ID. All application processes are based on that unique ID per customer to help ensure no cross-customer data events occur.
3. Data is encrypted in transit.
4. Data at rest (on servers, file storage, database) is encrypted using Akeyless DFC technology and standard encryption technology.
Patch and vulnerability management
1. Vulnerabilities in Akeyless’ platform may be identified either during a penetration test, from our bug bounty program or by an independent researcher.
2. Identified vulnerabilities will be remediated according to the following time tables:
  - Critical – As soon as possible and no longer than 1 week of identification.
  - High – No longer than 1 month from identification
  - Medium – No longer than 3 month from identification.
  - Low – According to best effort and availability.

Responsibility
1. The CISO is responsible for implementing and maintaining this policy.
2. Each employee is responsible for complying with this policy
Document Revision History

Author	Revision	Comments	Date	Approved by
Evgeny Pesetsky	1.0	Release version	01/04/2020
Yuval Yelin	2.0	Update version	25/04/2021	Shai Onn
Yuval Yelin	2.1	Rearranging sections	02/09/2021	Shai Onn
Yuval Yelin	2.2	Added privacy to HR section	25/10/2021	Shai Onn
Yuval Yelin	2.3	Adjust to SoA chapters	8/12/2021	Shai Onn
Yuval Yelin	2.4	Added patch management	19/01/2022	Shai Onn
Yuval Yelin	2.5	Added clean desk and screen	30/05/2022	Shai Onn

Frequently Asked Questions

Product Information & Security Policy