How to Secure Keap CRM for HR & Recruitment Data: A Step-by-Step Guide

Your Keap CRM holds the most sensitive data your organization touches: candidate PII, compensation discussions, performance notes, and communication histories across hundreds or thousands of people who trusted you with their information. One misconfigured permission set, one unrevoked integration, one absent MFA requirement — and that trust evaporates. This guide tells you exactly how to lock it down, step by step, before your next data governance review. It connects directly to the broader Keap CRM recruiting automation pillar — security is the foundation everything else builds on.

Before You Start

Complete these prerequisites before touching any Keap settings. Skipping them means you’re configuring security controls without knowing what you’re protecting.

• Time required: 3-5 hours for initial configuration; 30 minutes per quarter for ongoing maintenance.
• Access required: Keap Administrator account credentials.
• Documents to prepare: Current org chart with all Keap users listed; list of all active third-party integrations connected to your Keap account; any existing privacy notices or DPAs.
• Risk to acknowledge: Tightening permissions on existing users may temporarily disrupt workflows. Schedule this work outside peak recruiting hours and communicate changes to your team in advance.
• Regulatory context: If you collect data from EU residents, you need a signed Data Processing Agreement (DPA) with Keap before proceeding. Request it from Keap directly. For US operations, confirm your privacy notice names Keap as a sub-processor per CCPA requirements.

Step 1 — Audit and Map Every PII Field in Keap

You cannot protect data you haven’t catalogued. Before making any configuration changes, document every location in Keap where personally identifiable information lives.

Open Keap and systematically inventory the following:

• Standard contact fields: Name, email, phone, address, date of birth — these are PII by definition under GDPR and CCPA.
• Custom fields: Resume text stored in long-text fields, salary expectations, compensation history, disability or accommodation notes, background check status, work authorization status. Any field containing legally protected category information is high-sensitivity.
• Tags: Tags that encode sensitive status (e.g., “Declined — Culture Fit,” “Medical Accommodation Requested,” “Do Not Rehire”) are data points too. Map them.
• Notes: Free-text notes are the highest-risk PII container in most Keap setups because they’re visible to all users with contact access. Document whether sensitive information is being entered here and plan to migrate it to controlled custom fields.
• Email/SMS history: Communication logs contain PII by their nature — sender, recipient, content, timestamp.

Output a simple spreadsheet: field name, field type, sensitivity level (low/medium/high), who currently has access. This becomes your data map and the foundation for every subsequent step. Review your advanced tags and custom fields for candidate profiling setup at the same time — this audit often reveals fields that should be restructured for both security and searchability.

Step 2 — Configure Least-Privilege User Roles

The principle of least privilege means every Keap user accesses only what their role requires — nothing more. Most recruiting teams operate with far more permissive access than necessary, creating unnecessary exposure on every front.

Build at minimum three distinct permission tiers:

Administrator (1-2 people maximum)

• Full access to all contacts, fields, campaigns, integrations, and settings.
• Responsible for user management, permission changes, and security configuration.
• This account should use a non-recruiting-staff login — typically an ops lead or IT contact — to prevent a recruiter departure from taking admin access with them.

Recruiter

• Contact management, pipeline stage progression, campaign execution, note creation.
• No access to: salary negotiation custom fields, background check status, HR-only tags, financial data, or account settings.
• Field-level permissions in Keap can hide specific custom fields from this role — use them for high-sensitivity fields identified in Step 1.

Hiring Manager

• Read-only access to candidate profiles for requisitions they own.
• No ability to edit contact records, run bulk actions, or access communication history outside their requisitions.
• Scoped contact view by tag or segment — hiring managers should see their candidates, not your entire talent pool.

In Keap, navigate to Admin → Users & Roles to create and assign these tiers. Never share a single login across multiple team members — shared logins make the activity log worthless for security auditing. This is one of the most common Keap CRM implementation challenges recruiting firms face when scaling their teams.

Step 3 — Enforce Multi-Factor Authentication for Every User

MFA is the single highest-ROI security control available to you in Keap. It eliminates credential stuffing attacks — the most common entry vector for unauthorized CRM access — and takes under 10 minutes to configure organization-wide. There is no acceptable reason to skip it.

To enforce MFA in Keap:

1. Navigate to Admin → Users & Roles.
2. For each user, confirm their login email is individual (no shared accounts).
3. Direct each user to their Account Settings → Security to enable authenticator app MFA.
4. Verify completion — Keap’s admin panel shows MFA enrollment status per user. Any unenrolled user is a liability; treat it as an open vulnerability until resolved.

Require authenticator app MFA (Google Authenticator, Authy, or equivalent) over SMS where possible. SMS-based MFA is vulnerable to SIM-swapping attacks — a known vector in identity theft cases. Deloitte’s research on cyber risk consistently identifies credential compromise as the leading cause of unauthorized system access in business environments. Authenticator-based MFA removes that attack surface entirely.

Step 4 — Build Data Retention Automation

Manual data retention fails at scale and under pressure. Automate it inside Keap so compliance happens on schedule regardless of team workload.

GDPR’s general guidance for applicant data is deletion or review within 6-12 months of a closed recruitment process unless the candidate has actively consented to remain in your talent pool. CCPA requires honoring verified deletion requests within 45 days. Your retention automation must handle both scenarios.

Build these three sequences:

Retention Expiry Flagging Sequence

• Trigger: Date-based, keyed to a “Date Added to Pipeline” custom field.
• Action at 11 months post-close: Apply tag “Retention Review Required.” Assign task to HR admin. Send internal notification.
• Action at 12 months if task incomplete: Escalate with second notification.

Erasure Request Runbook Sequence

• Trigger: Manual application of tag “Erasure Requested.”
• Actions (automated): Remove from all active sequences. Clear all PII custom fields (replace with null or “Erased per request”). Remove all sensitive tags. Assign task to admin for final record deletion with timestamp documentation.
• Complete within 45 days to meet CCPA. Document completion date in your erasure log.

Consent Expiry Reminder Sequence

• For talent pool candidates who consented to ongoing contact: trigger at 24 months to send a re-consent email. If no re-consent within 30 days, apply “Retention Review Required” tag and initiate the same review process.

These sequences connect directly to how you’ve structured your talent pool segments in Keap CRM — retention automation and segmentation strategy are the same system, built together.

Step 5 — Audit and Lock Down Third-Party Integrations

Every job board, assessment tool, background check service, and payroll integration connected to Keap is an extension of your security perimeter. OAuth connections persist after contracts end, after staff changes, and after you’ve stopped using the tool. Quarterly audits are not optional.

In Keap, navigate to Admin → API Access / Connected Apps. For each connection:

• Verify it is still in active use. If the integration is dormant, revoke it immediately.
• Confirm the permission scope. An integration that only needs to read contact tags should not have write access to your entire contact database. Revoke and re-authorize with minimal scope if over-permissioned.
• Document the owner. Who on your team authorized this connection? If that person has left, treat the connection as untrusted until re-verified and re-authorized under a current employee’s credentials.
• Check the receiving endpoint. Where is this integration sending data? Confirm the destination is a current, monitored system — not a deprecated webhook or an unmaintained cloud bucket.

Build a master integration register: integration name, purpose, authorizing user, date authorized, last verified, permission scope, data transmitted. Review quarterly. Gartner research on data security consistently identifies third-party access management as a top enterprise risk — the dynamic is identical at the SMB recruiting firm level. This audit directly informs your broader approach to the Keap CRM implementation checklist for recruitment.

Step 6 — Schedule and Execute Activity Log Reviews

Keap logs user actions against contact records: views, edits, tag changes, email sends, and bulk operations. These logs are your early-warning system for anomalous activity — but only if someone is actually reading them.

Establish a monthly activity log review as a recurring Keap task assigned to your designated security owner (typically the Keap Administrator):

• Off-hours access: Any contact record access outside business hours by non-administrator users warrants investigation.
• Bulk export activity: Large contact exports are a major data exfiltration signal. Know your baseline — how many records does your team legitimately export per month? Flag anything that exceeds it.
• Unusual tag application on sensitive segments: Bulk removal of “Confidential” or “High-Sensitivity” tags, or bulk additions of tags to protected segments, are anomalous patterns.
• Dormant user activity: A login from a user account that hasn’t been active in weeks may indicate compromised credentials.

Pair Keap’s native activity logs with the activity history in your automation platform for any API-triggered actions. This gives you visibility across both direct user actions and programmatic actions from integrations. Forrester research on breach economics makes clear that faster detection directly reduces breach cost — log reviews are your detection mechanism. Align this review cadence with your recruiting metrics and reporting in Keap CRM review so both happen in the same monthly ops session.

Step 7 — Document and Test Your Breach Response and Offboarding Runbooks

Security controls prevent incidents. Runbooks contain them when controls fail. You need two documented procedures minimum: a breach response runbook and a recruiter offboarding runbook. Neither is useful if it only exists in someone’s head.

Breach Response Runbook

1. Detection: How is a potential breach identified? (Activity log anomaly, user report, vendor notification.)
2. Containment: Revoke access for suspected compromised account immediately. Suspend connected integrations.
3. Assessment: Determine scope — which records were accessed, by whom, over what timeframe.
4. Notification: GDPR requires notification to supervisory authority within 72 hours of confirmed breach. CCPA breach notification timelines vary by state. Identify your legal counsel contact before you need them.
5. Remediation: Patch the vulnerability. Reset credentials. Tighten permissions. Document actions taken.

Recruiter Offboarding Runbook

1. Before the departing recruiter’s last day: reassign all open contacts to an active team member. Do not leave orphaned records.
2. On their last day: deactivate the Keap user account (not just a password change — full deactivation).
3. Within 24 hours: export and review the last 30 days of their activity log for bulk exports or unusual access patterns.
4. Within one week: revoke any API keys or integration connections authorized under their credentials. Re-authorize necessary integrations under a current employee’s account.
5. Document the offboarding with a timestamp in your security log.

Test both runbooks at least once per quarter — a tabletop exercise with your team takes 30 minutes and exposes gaps that don’t appear on paper. SHRM’s guidance on HR data governance consistently identifies untested incident response plans as a primary compliance vulnerability. This operational rigor connects directly to the broader discipline of Keap CRM automation for strategic talent management — security ops and talent ops run on the same system.

How to Know It Worked

Security is not a one-time configuration — it’s an ongoing operational state. Measure it with these indicators:

• Zero shared logins: Every active Keap user has a unique individual account. Verify via Admin → Users.
• 100% MFA enrollment: Every user account shows MFA enabled. No exceptions.
• Clean integration register: Every connected app is documented, actively used, and minimal-scope. Zero orphaned connections.
• Retention automation active: At least one test record has cycled through the retention flagging sequence successfully.
• Monthly log reviews completed: Documented with a timestamp and a “no anomalies found” or remediation note for each review.
• Runbooks tested: Both breach response and offboarding runbooks have been walked through in the last 90 days.

If you hit all six, your Keap security posture is ahead of the vast majority of recruiting firms operating at your scale. The McKinsey Global Institute’s research on digital trust confirms that organizations with systematic data governance outperform peers on both compliance metrics and candidate trust indicators — and in recruiting, trust is a competitive differentiator. Pair this security foundation with the broader HR automation and labor cost reduction strategy to understand how operational discipline compounds across every layer of your recruiting stack.

Common Mistakes to Avoid

• Treating security as a one-time setup task. Integrations accumulate, staff turns over, and permission sets drift. Quarterly reviews are mandatory, not optional.
• Using free-text notes for sensitive PII. Notes are visible to all users with contact access. Move sensitive data to controlled custom fields with role-based visibility.
• Skipping MFA for “power users” who find it inconvenient. Senior users with the most Keap access are the highest-value targets for credential attacks. No exemptions.
• Assuming your automation platform’s security covers Keap. Each system in your stack has its own access controls. Securing Keap does not automatically secure connected tools.
• Delaying breach response runbook creation until after an incident. The runbook must exist before you need it — 72-hour GDPR notification windows don’t allow time for drafting procedure documents under pressure.

Frequently Asked Questions

Is Keap CRM secure enough for storing candidate personally identifiable information (PII)?

Keap provides SOC 2-aligned infrastructure, encrypted data at rest and in transit, and granular user permissions — but platform security alone is insufficient. Your configuration choices — role permissions, MFA enforcement, retention rules, and integration controls — determine whether candidate PII is actually protected. Platform security sets a floor; your configuration sets the ceiling.

What Keap CRM user roles should HR teams use?

At minimum, create three distinct role tiers: Administrator (full access, limited to 1-2 people), Recruiter (contact management, pipeline stages, campaign execution — no financial or sensitive HR fields), and Hiring Manager (read-only candidate profiles for assigned requisitions). Never share a single login across team members — Keap logs actions by user ID, making shared logins unauditable.

Does Keap CRM support multi-factor authentication?

Yes. Keap supports MFA via authenticator app. Administrators should enforce MFA for every user account — this is the highest-impact single security control available and takes under 10 minutes to configure. Any user without MFA is a liability under GDPR and CCPA breach-liability assessments.

How do I handle GDPR right-to-erasure requests inside Keap CRM?

Map every PII field in Keap before you receive your first erasure request. Build a documented runbook: locate the contact record, export for legal documentation, clear all custom PII fields, remove from all tags and segments, then delete the contact record. Automate the tag-removal and field-clearing steps using a Keap sequence triggered by a dedicated ‘Erasure Requested’ tag to reduce manual error.

What is the biggest security risk in Keap CRM for recruiting teams?

Third-party integrations are the most underestimated risk. Every connected job board, assessment platform, or payroll tool creates an OAuth trust relationship that can persist long after a vendor relationship ends. Audit your connected apps quarterly, revoke unused API keys, and document every integration in a master register. Internally, overpermissioned user roles are the second most common vulnerability.

How long should candidate data be retained in Keap CRM?

Retention periods vary by jurisdiction: GDPR generally requires deletion of applicant data within 6-12 months of a closed recruitment process unless the candidate consented to a talent pool. CCPA does not mandate specific retention windows but requires honoring deletion requests within 45 days. Build retention automation in Keap using date-triggered sequences that flag records approaching their retention limit and clear PII fields on schedule.

How do I monitor suspicious activity inside Keap CRM?

Keap’s activity logs record contact record access, edits, and email actions by user. Export and review logs monthly — look for off-hours access, bulk data exports, or unusual tag changes on sensitive segments. Pair Keap log reviews with your automation platform’s activity history to catch anomalous API calls from connected integrations.

Can Keap CRM automate data security workflows?

Yes — and this is one of the most underused capabilities. Use Keap sequences to automate consent-expiry reminders, retention-window flags, post-rejection PII field clearing, and offboarding access revocation prompts. Automating these workflows removes the human error risk that causes most compliance failures and creates an auditable, timestamped trail of every data governance action.

What should happen to candidate data when a recruiter leaves the company?

Immediately deactivate the departing recruiter’s Keap user account — do not merely change the password. Reassign their open contacts to an active user before deactivation to prevent orphaned records. Audit the last 30 days of their activity log for any bulk exports or unusual access. Document the offboarding action in your security runbook with a timestamp.

Does using Keap CRM for HR data require a Data Processing Agreement (DPA)?

Yes, if you operate in or collect data from EU residents. Keap offers a Data Processing Agreement for GDPR compliance — request and execute this before storing any EU candidate data. For US teams, review Keap’s privacy policy against CCPA requirements and confirm your own privacy notice discloses Keap as a data sub-processor.