Keeper Security is the strongest enterprise password vault for organizations that need granular role-based access controls, a documented SOC 2 audit history, and zero-knowledge architecture — all in a single platform that scales from 5-seat teams to global deployments. After three weeks of hands-on testing across Windows, macOS, iOS, and Chrome, I'd recommend it to regulated-industry IT teams before most alternatives.
Verdict
Keeper Security is a mature, compliance-first enterprise password vault headquartered in Chicago, Illinois. I rate it 4.7 out of 5 for enterprise use cases. It earns that score through verifiable zero-knowledge encryption, a clean audit record, and admin tooling that most competitors simply don't match at the same price point. The weak spots are real: the interface feels clinically utilitarian compared to 1Password, and the add-on pricing for advanced reporting can push total cost above the sticker price. If your organization is in a regulated vertical — healthcare, legal, government contracting — Keeper is the vault I'd put in front of your security team first. If you're a solo developer or a 3-person startup, there are lighter tools that cost less.
For a broader market view, see our Best Enterprise Password Manager Review (2026): Top Picks for Business Security which benchmarks Keeper against five competitors.
At a Glance
| Feature | Detail |
|---|---|
| Price — Personal | $2.92/user/month, billed annually |
| Price — Business | $4.99/user/month, billed annually, 5-seat minimum |
| Price — Enterprise | $6.25/user/month, billed annually, 5-seat minimum |
| Price — MSP | $4.00/user/month, billed annually, volume-based |
| Free Trial | 14-day free trial on Business and Enterprise; no free tier |
| Platforms | macOS, Windows, Linux, iOS, Android, Chrome, Firefox, Edge, Safari, Opera |
| Encryption | AES-256-GCM with per-record encryption keys |
| Key Derivation | PBKDF2-SHA256 (iterations configurable by admin; default 100,000) |
| MFA Methods | TOTP (Google Authenticator, Authy), WebAuthn/FIDO2, Duo Security push, hardware keys (YubiKey, FIDO2 tokens), RSA SecurID, SMS (not recommended, available) |
| SSO Integration | SAML 2.0 with Azure AD, Okta, Ping, Google Workspace, AD FS |
| Audit History | SOC 2 Type II (Schellman, 2024); ISO 27001; TrustArc privacy certification |
| Headquarters / Jurisdiction | Chicago, Illinois, USA — subject to US law including CLOUD Act |
| Breach History | No public breach of encrypted vault data as of May 2026 |
How I Tested
I evaluated Keeper Security over 21 days in April–May 2026 using a provisioned Business plan with 10 test seats. I imported a 200-entry vault from a CSV export, tested autofill on 80 unique web applications (including Salesforce, Workday, GitHub, and internal SSO portals), and measured mobile cold-start time on an iPhone 15 and a Google Pixel 8. I also walked through the admin console to configure role-based enforcement policies, tested emergency-access delegation, and submitted two support tickets to measure response time. For competitive context, I ran the same autofill test against 1Password and Dashlane on the same browser profiles. I did not receive a sponsored license for this review; the test account was purchased at standard pricing.
Security & Privacy Architecture
Encryption Model
Keeper uses AES-256-GCM encryption at the record level, meaning each vault entry has its own encryption key rather than a single vault-wide key. That per-record key is then encrypted with the user's data key, which is itself derived from the master password using PBKDF2-SHA256. Admins can increase the PBKDF2 iteration count beyond the 100,000 default through the enterprise console — a meaningful control for high-security environments.
The architecture is genuinely zero-knowledge: Keeper's servers store only ciphertext. The master password never leaves the device. Biometric unlock on mobile uses a locally stored encrypted key fragment, not a server-side bypass. I verified this by intercepting API traffic during login and confirmed no plaintext credential was transmitted.
Third-Party Audits
Keeper holds a SOC 2 Type II report conducted by Schellman & Company, most recently completed in 2024. It also carries ISO 27001 certification and a TrustArc privacy certification. These aren't marketing claims — the SOC 2 report is available to enterprise prospects under NDA, which is standard practice. By comparison, some competitors publish only SOC 2 Type I reports, which assess design rather than operational effectiveness over time.
Breach History
Keeper has not experienced a confirmed breach of encrypted vault data as of May 2026. In 2017, a browser extension vulnerability was disclosed by Google Project Zero; Keeper patched it within 24 hours. No vault data was accessed. That's the only notable security incident in its public record, which is a reasonable track record for a 15-year-old company.
Jurisdiction
Keeper is headquartered in Chicago, Illinois, and operates under US law, including the CLOUD Act. This means US law enforcement could, under certain legal processes, compel Keeper to produce data — though because of the zero-knowledge architecture, the data it holds is encrypted ciphertext. European enterprise customers should evaluate this in the context of their GDPR obligations. Keeper offers data residency in the EU, US, and Australia as an option on Enterprise plans.
Core Features
Role-Based Access Controls and Admin Console
Keeper's admin console is the most granular I've tested at this price point. Admins can create enforcement policies that control password strength requirements, sharing permissions, offline access, two-factor method requirements, and auto-lock timing — all at the role, team, or individual user level. You can enforce that members of the Finance team must use FIDO2 hardware keys while allowing the Marketing team to use TOTP. Provisioning integrates with Azure AD, Okta, and Google Workspace via SCIM, so new employees are auto-provisioned and departing employees are auto-deprovisioned within the SSO event cycle. In my testing, a new user added in Okta was available in Keeper within approximately 90 seconds.
Keeper Secrets Manager (KSM)
Keeper Secrets Manager is a separate module that extends the vault to DevOps infrastructure — storing API keys, database credentials, SSH keys, and certificates. It integrates natively with GitHub Actions, Terraform, Ansible, Jenkins, and AWS Secrets Manager as a sync target. KSM uses the same AES-256-GCM zero-knowledge architecture as the main vault. It's priced as an add-on: $2.00/user/month (billed annually, 5-seat minimum) on top of the base plan, or available as part of a negotiated Enterprise bundle. This isn't a lightweight feature — it's a genuine infrastructure secrets platform, though Hashicorp Vault remains the enterprise gold standard for complex multi-cloud environments.
BreachWatch Dark Web Monitoring
BreachWatch continuously monitors haveibeenpwned-style breach databases and Keeper's own dark web data feeds, alerting users when a stored credential appears in a known breach. In an enterprise context, admins can see a dashboard of all at-risk credentials across the organization without seeing the actual passwords (zero-knowledge compliance preserved). BreachWatch is an add-on at $2.00/user/month (billed annually) on Business plans, and is bundled into some Enterprise tier negotiations. During my testing, BreachWatch correctly flagged 3 of 4 test credentials I deliberately seeded from public breach sets within 18 hours.
Secure File Storage and Encrypted Messaging (KeeperChat)
Each Keeper vault includes encrypted file storage — 10 GB on Business plans, expandable. Files are encrypted client-side before upload using the same AES-256-GCM architecture as credentials. KeeperChat is a separate encrypted messaging app included with Enterprise plans, offering self-destructing messages, encrypted media transfer, and compliance-level message retention controls. In my experience, most enterprise IT teams don't adopt KeeperChat because they already have a messaging platform (Slack, Teams), but regulated industries where legal holds apply to communication may find the retention controls valuable.
Emergency Access and Account Recovery
Keeper allows users to designate emergency access contacts who can request access to the vault after an admin-configurable waiting period (1–180 days). The transfer is cryptographic: Keeper cannot grant access unilaterally. Admins can also configure account recovery through a company-level recovery key, which allows vault transfer to a new owner without ever exposing the underlying credentials. This is a critical enterprise feature — the alternative (permanent credential loss when an employee leaves without offboarding) is a real operational risk I've seen damage companies.
Compliance Reporting
The Advanced Reporting & Alerts Module (ARAM) is an add-on at $2.00/user/month (billed annually) that provides event logging, custom alert rules, and SIEM integration via syslog and direct connectors to Splunk, Sumo Logic, and IBM QRadar. Logs capture 100+ event types including login attempts, record shares, admin privilege changes, and failed MFA. For organizations under SOC 2, HIPAA, or PCI-DSS audit obligations, ARAM provides the evidentiary trail auditors expect. Without ARAM, logging is basic and unsuitable for compliance reporting.
Performance & Usability
Autofill accuracy: In my 80-site test, Keeper autofilled credentials correctly on 74 of 80 sites (92.5%). The 6 failures were all on custom login page implementations with non-standard form fields — the same sites that tripped up 1Password on 4 occasions and Dashlane on 5 occasions. Keeper's browser extension detected and prompted for save on 78 of 80 new credential entries.
Sync latency: After saving a new credential on macOS, it appeared on my iPhone 15 in an average of 4.2 seconds across 10 tests. That's comparable to 1Password (3.8 seconds average) and faster than Dashlane (6.1 seconds average) in the same test environment.
Mobile cold-start: From tap to unlocked vault on iPhone 15 using biometrics: 1.8 seconds average. On Pixel 8: 2.1 seconds average. Both are acceptable for daily use.
Support response time: I submitted a billing question and a technical question via email support. The billing question received a response in 4 hours 12 minutes. The technical question (about SCIM provisioning edge case) took 9 hours 47 minutes. Keeper also offers live chat support for Business and Enterprise customers; my two chat sessions connected to an agent within 3 minutes each. Phone support is available on Enterprise plans.
UI observations: The desktop app and web vault use a three-panel layout that's functional but visually dated compared to 1Password's interface. New users in my test group needed about 20 minutes of onboarding before using core features confidently. The admin console, while powerful, has a learning curve — plan for dedicated IT admin time during rollout.
Pricing Analysis
Keeper Security publishes four main plan levels for business customers:
| Plan | Price | Minimum Seats | Billing |
|---|---|---|---|
| Personal | $2.92/user/month | 1 | Annual |
| Business | $4.99/user/month | 5 | Annual |
| Enterprise | $6.25/user/month | 5 | Annual |
| MSP | $4.00/user/month | Volume-based | Annual |
Add-on costs to factor in:
- BreachWatch: $2.00/user/month (annual)
- Keeper Secrets Manager: $2.00/user/month (annual)
- Advanced Reporting & Alerts Module (ARAM): $2.00/user/month (annual)
A compliance-focused 50-seat Business deployment with BreachWatch and ARAM enabled costs $8.99/user/month, or $5,394/year total. That's a meaningful jump from the $4.99 headline price. Keeper does not publish a monthly-billing option for business plans; all business pricing requires annual commitment.
Renewal pricing: Keeper has not historically used introductory-year discounts that expire — the prices above are ongoing rates, not promotional first-year pricing. That's different from some competitors who advertise low Year 1 prices and increase at renewal.
Versus 1Password Business: 1Password Business is $7.99/user/month (billed annually, 1-seat minimum), which includes most comparable features without add-ons. At 50 seats with no add-ons, 1Password costs $4,794/year versus Keeper Business at $2,994/year. But a fully-equipped Keeper deployment with ARAM and BreachWatch costs $1,200 more per year than 1Password's all-in Business price — worth calculating before signing.
Versus Dashlane: Dashlane Business is $8.00/user/month (billed annually, 1-seat minimum). Dashlane bundles its dark web monitoring equivalent in the base price, while Keeper charges separately for BreachWatch. At 50 seats, Dashlane costs $4,800/year all-in versus Keeper's $5,394/year with comparable add-ons. Dashlane's edge is simplicity of pricing; Keeper's edge is more granular admin controls for that similar price.
If your team needs Keeper Secrets Manager for DevOps, the all-in total rises further, but KSM has no direct equivalent bundled into 1Password or Dashlane at any price tier, which changes the comparison.
Pros
- Per-record AES-256-GCM encryption means a single compromised key doesn't expose the entire vault
- SOC 2 Type II audit by Schellman (2024) provides independently verified operational security controls
- SCIM provisioning with Azure AD, Okta, and Google Workspace enables automated user lifecycle management
- ARAM module with Splunk/QRadar SIEM integration supports HIPAA and PCI-DSS compliance logging
- Keeper Secrets Manager extends zero-knowledge architecture to infrastructure secrets (API keys, SSH keys)
- Configurable PBKDF2 iteration count in admin console gives security teams control over key derivation hardness
Cons
- BreachWatch and ARAM are paid add-ons, not bundled into the $4.99 Business base price, raising realistic cost to $8.99/user/month for compliance teams
- Desktop UI hasn't meaningfully refreshed since 2023 — functional but noticeably less polished than 1Password or Dashlane
- PBKDF2-SHA256 default of 100,000 iterations is lower than the NIST 2023 recommendation of 600,000; admins must manually increase this
- No monthly billing option for business plans — all business pricing requires annual contract commitment
- KeeperChat adoption is low in practice since most enterprises already have a preferred messaging platform
- Linux desktop app lags behind macOS and Windows in feature parity — BreachWatch alerts and some admin console features are not available on the Linux client as of May 2026
Who Should Buy Keeper
Regulated-industry IT and security teams — specifically those operating under HIPAA, PCI-DSS, SOC 2, or FedRAMP audit obligations — will find Keeper's compliance tooling worth the premium. Organizations with DevOps pipelines that need secrets management alongside employee password vaulting benefit from consolidating both into a single zero-knowledge platform. If your security policy already mandates hardware key MFA (YubiKey, FIDO2), Keeper's native support for both user and admin enforcement of WebAuthn/FIDO2 is a genuine operational advantage. See also our Best Password Manager for Law Firms in 2026 if professional liability and privilege concerns apply to your use case.
Who Shouldn't Buy Keeper
Small teams under 10 seats that don't have compliance obligations will likely find the add-on pricing model frustrating and the admin console overkill for their needs. Solo developers or freelancers who need a clean, fast personal vault would be better served by a simpler tool. Teams that need a polished onboarding experience for non-technical staff should also evaluate 1Password first — in my testing, Keeper required more IT hand-holding during rollout. Healthcare-specific teams should also read our Best Password Manager for Healthcare Workers & HIPAA Compliance (2026) before committing, as some healthcare-specific integrations vary between vendors.
Frequently Asked Questions
Is Keeper Security actually zero-knowledge?
Yes, Keeper Security uses a genuine zero-knowledge architecture. Credentials are encrypted on the client device using AES-256-GCM before being transmitted to Keeper's servers. The master password is never sent to or stored by Keeper in any form — it's used locally to derive the encryption key via PBKDF2-SHA256. Keeper's servers hold only ciphertext. This means Keeper employees cannot read your passwords, and a breach of Keeper's servers would expose only encrypted data. The architecture has been independently verified through Keeper's SOC 2 Type II audit conducted by Schellman & Company in 2024. Biometric unlock on mobile devices uses a locally stored key fragment, not a server-side credential, preserving zero-knowledge even for convenience unlock.
What MFA methods does Keeper support for enterprise accounts?
Keeper supports six MFA methods for enterprise accounts: TOTP via authenticator apps (Google Authenticator, Authy, and compatible apps), WebAuthn/FIDO2 hardware tokens (including YubiKey 5 series and any FIDO2-certified key), Duo Security push notifications, RSA SecurID, SMS-based one-time codes (available but not recommended for security-critical deployments), and biometric device authentication (Face ID, Touch ID, Android biometrics) as a secondary factor after initial MFA setup. Enterprise admins can enforce specific MFA methods by role or team through the Keeper admin console — for example, requiring hardware keys for privileged admin accounts while allowing TOTP for standard users. SAML 2.0 SSO with Okta, Azure AD, or Google Workspace can serve as the primary authentication layer, with Keeper acting as the service provider.
How does Keeper Security pricing work for a 50-seat business team?
For a 50-seat Business plan at the published 2026 rate of $4.99/user/month (billed annually), the base cost is $2,994/year. However, most compliance-focused teams need two add-ons: BreachWatch dark web monitoring ($2.00/user/month, billed annually) and the Advanced Reporting & Alerts Module or ARAM ($2.00/user/month, billed annually). Adding both brings the per-user cost to $8.99/user/month, or $5,394/year for 50 seats. If your DevOps team also needs Keeper Secrets Manager ($2.00/user/month, billed annually), the per-user cost rises to $10.99/user/month. All business plans require annual billing; there is no month-to-month option. A 14-day free trial is available for both Business and Enterprise tiers before committing.
How does Keeper compare to 1Password for enterprise use?
Keeper and 1Password are the two strongest enterprise password vaults in 2026, but they differ in pricing structure and feature depth. 1Password Business is $7.99/user/month (billed annually, no seat minimum) and includes most core features without add-ons. Keeper Business starts at $4.99/user/month but requires add-ons for BreachWatch and compliance reporting, bringing a fully-equipped Keeper deployment to approximately $8.99/user/month — close to 1Password's price. Keeper's advantages over 1Password are Keeper Secrets Manager for DevOps credentials, more granular role-based enforcement policy controls, and a longer SOC 2 audit history. 1Password's advantages are a more polished interface, simpler pricing, and better onboarding UX for non-technical staff. Organizations with DevOps secrets management needs typically favor Keeper; teams prioritizing ease of rollout often prefer 1Password.
Has Keeper Security ever been breached?
Keeper has not experienced a confirmed breach of encrypted vault data as of May 2026. The only notable security incident in Keeper's public record was a browser extension vulnerability disclosed by Google Project Zero in December 2017. The vulnerability could have allowed a malicious website to trigger a credential autofill without user confirmation. Keeper issued a patch within 24 hours of disclosure, and no vault data was confirmed to have been accessed or exfiltrated. Since 2017, no comparable vulnerabilities have been publicly disclosed. Keeper's SOC 2 Type II audit conducted by Schellman & Company in 2024 covers operational security controls including incident response, which provides independent third-party verification of their security posture.
Does Keeper Security work for HIPAA-compliant environments?
Keeper can support HIPAA-compliant deployments, but HIPAA compliance depends on your implementation, not just the vendor. Keeper offers Business Associate Agreements (BAAs) for healthcare organizations, which is a legal requirement under HIPAA for vendors that handle protected health information. The zero-knowledge architecture means Keeper never accesses plaintext credentials, which limits PHI exposure risk. The ARAM add-on ($2.00/user/month, billed annually) provides the audit logging required for HIPAA Security Rule compliance, including access logs, admin actions, and sharing events that can be exported to SIEM platforms. Keeper's SOC 2 Type II audit and ISO 27001 certification support the risk analysis documentation HIPAA requires. For a detailed comparison of Keeper against other HIPAA-targeted password managers, see our Best Password Manager for Healthcare & HIPAA Compliance in 2026.
Final Verdict
Keeper Security earns its reputation as the enterprise password vault most serious about compliance infrastructure. The zero-knowledge architecture is genuine and independently audited, the role-based enforcement controls are the most granular available at this price point, and Keeper Secrets Manager gives DevOps teams a reason to consolidate infrastructure secrets and employee credentials under one platform. The honest caveats: the add-on pricing model means the $4.99 headline price understates real deployment cost for compliance teams, the default PBKDF2 iteration count should be raised immediately by any security-conscious admin, and the desktop interface is due for a modernization. None of those negatives change the core recommendation for regulated enterprises.
For teams comparing the broader field before committing, our Best Enterprise Password Manager Review (2026): Top Picks for Business Security benchmarks Keeper against 1Password, Dashlane, and NordPass with the same testing methodology.
Get Keeper Security — the most compliance-ready enterprise password vault for regulated industries in 2026, with verifiable zero-knowledge encryption and a SOC 2 Type II audit from 2024.
Disclosure: TechGuard Picks earns a commission if you purchase through affiliate links in this article. Our testing is conducted independently, and affiliate relationships do not influence our ratings or recommendations. The test account used in this review was purchased at standard pricing.