Keyzapp Key Management System

The comprehensive app for tracking keys. Lookup, issue & return keys in seconds, maintain comprehensive audit records, and automatically chase late keys. Fitting your exact processes, Keyzapp is completely paperless. It can be combined with optional contactless fobs for extra speed. Can also be used for tracking other small assets.


  • Works everywhere- Phones, PC, Mac, Tablets (optional self-service kiosks)
  • Optional contactless fobs enable instant key identification & issue
  • Rapid search to find the key you need in seconds
  • Track keys across multiple offices & departments
  • Chase late keys automatically - text and email reminders
  • Instant reporting of key history by key, property or person
  • Permission Levels control access to information
  • Reserve keys in advance to prevent mistakes
  • Flexible processes adapt to fit the way you work
  • API and Integration hooks enable connection to other systems


  • Fast, simple and intuitive - minimal staff training required
  • Works with your existing key numbering and storage cabinets
  • Saves staff time- key administration, searching and reconciling key books
  • Faster and less error-prone than logbooks and spreadsheets
  • Improves security- eliminates the need for written records
  • Saves money - Prevents lost keys and replacement locks
  • Prevents lengthy investigations
  • Promotes accountability and removes uncertainty over who has the keys
  • Simplifies and and promotes accurate record-keeping
  • Minimal IT management required


£45 per unit per month

  • Free trial available

Service documents


G-Cloud 11

Service ID

4 2 6 5 9 8 4 0 1 9 4 3 6 0 5



Phillip Carter


Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
Normal service operates 24/7 except for planned maintenance notified in advance
System requirements
  • Works on all modern web browsers
  • Optional Contactless scanning on PCs: Requires Windows 7+
  • Optional Contactless scanning on iPhone: Requires iPhone 7+
  • Optional Contactless scanning- Android: Requires NFC capability (most models)
  • Optional Contactless scanning- Windows Phones: Requires NFC (most models)

User support

Email or online ticketing support
Email or online ticketing
Support response times
We aim to respond to email within 4 working hours (excluding weekends). Out of hours service may be discussed and priced separately.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Telephone and email support during UK business hours. Once in place, we find support is rarely required.

Onsite support or training visits (the majority of customers DO NOT require this) are available at £800+VAT per day + reasonable travel, accommodation and subsistence expenses.

Services falling outside of the scope of standard support are chargeable at £80+VAT per hour. These are always OPTIONAL services and typically used for additional training conducted remotely (subsequent to any training provided as part of initial setup), data migration and integration work.

Additional support may be agreed at extra cost, depending on needs.
Support available to third parties

Onboarding and offboarding

Getting started
A remote training and setup session is provided as standard, and online support tools and user documentation are subsequently available. Additional training sessions are generally chargeable.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
All data held in the system is exportable to Excel spreadsheets.
End-of-contract process
The price of the contract includes licence to use the online software, backup of data, incremental upgrades and standard support.

At the end of the contract term, renewal is assumed unless cancelled by the subscriber.

Upon cancellation, a cancellation date will be agreed and services will become inaccessible after that date. Users will have the ability to download their data in Excel format prior to this date.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Compatible operating systems
  • MacOS
  • Windows
Designed for use on mobile devices
Differences between the mobile and desktop service
No differences
Service interface
What users can and can't do using the API
The API enables organisations to synchronise property/facility details from existing systems.

Web hooks can be sent from the system to alert other systems of key events (e.g. key signed out/in or key becoming overdue)

API setup and support are not provided as part of the standard support package and may require additional support arrangements.
API documentation
API documentation formats
API sandbox or test environment
Customisation available


Independence of resources
Active internal monitoring processes and automatic cloud-scaling are in place to ensure service demand is managed effectively, using the Microsoft Azure Platform.


Service usage metrics
Metrics types
The app provides reports on the screens that different employees visit within the app, and the activity of users and individuals with regard to sign keys in and out. These are not only useful for compliance purposes but also aid in the identification of mistakes and gaps in training for specific team members.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
Less than once a year
Penetration testing approach
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Other
Other data at rest protection approach
Physcial access controls are provided as part of the Microsoft Azure Cloud services upon which our app relies. These are audited across amy different standards. Additional information can be provided as required
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
The app provides an option to export all data to spreadsheets in Excel format.

Support can proved data in CSV format on request
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Whilst we do not guarantee specific service levels, we aim to achieve 99.99% availability, and exceeded this for the past 3 years.
Approach to resilience
The service operates on the Microsoft Azure cloud platform, with redundancy and fail-over built in across multiple regions. Additional information can be provided on request.
Outage reporting
We provide email alerts for any significant service outage

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Access to management interfaces is controlled by administrator users within the organisation. Our support staff will verify the identity of those contacting us, where a request requires information specific to an organisation to be discussed. Password reset information, for example, is sent to registered email of users within the system.

Within our own support teams, each team member has unique credentials and permissions within our management back-end.
Access restriction testing frequency
At least every 6 months
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
The application is programmed with security at the forefront, and uses industry standard techniques practices and protocols. Security practices within our team are reviewed regularly.
Information security policies and processes
Keyzapp maintains a data security policy, and holds regular training and checks to ensure that it is followed. The policy covers staff devices, password security, malware, hacking, encryption, data classifications (e.g. confidentiality).

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Keyzapp is a cloud-based system that deploys regular updates to the service. Customers are advised where any planned downtime is expected (this is rare for the majority of updates). We use industry standard source control and can to roll back if required. All changes are assessed by our development team for security impacts.
Should any security vulnerability be identified, it is patched as a matter of priority. From a customer perspective, the service functions as a single component, tracked through update communications. Internally, basic design/configuration for various components documentation is kept and updated as necessary.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
The underlying Azure platform is monitored and patched for vulnerabilities constantly. At the product level, potential vulnerabilities are considered in an ongoing process prior to development of any new functionality. Our team follows industry security news very closely, and consistently evaluates any potential risk to our service. Basic vulnerability assessment takes place by the development team prior to any release. Security patches are worked and deployed with maximum priority following their identification.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Potential compromises are assessed through a combination of proactive following of industry news, and active monitoring of the application environment for potential threats. Upon threat discover, containment and the security of customer data is prioritised, prior to any further remedial action. Where a threat is judged to be significant, a plan is put in place to address it. Incidents are responded to with maximum priority (target is within 24 hours) and communications sent to customers as appropriate.
Incident management type
Supplier-defined controls
Incident management approach
A process is in place for outages, which includes the transmission of backup data via spreadsheet to enable customers to work whilst the problem is being addressed. Customers report incident by calling our well publicised support number, or by email. Incident reports are provided on request. Where the situation warrants it, a communication email will be sent to affected parties.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£45 per unit per month
Discount for educational organisations
Free trial available
Description of free trial
Trials are provided based on the applicability for the organisation applying, usually for less than 300 keys. Trials include use of the system for any number of individuals for 1 month. Trials are provided with a commitment from the purchaser that they will follow our guidance and best-practices.

Service documents

Return to top ↑