Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Keybase is an end to end encrypted messaging, file sharing and identity verification platform acquired by Zoom in 2020. It offers chat (1:1 and group), encrypted file storage (KBFS), encrypted git repositories and a cryptographic identity proof system that links accounts to social media handles. Although message content is end to end encrypted, Keybase processes metadata (sender, recipient, timestamps, IPs, device identifiers) on US infrastructure, making it relevant for GDPR data transfer assessments.
Keybase started in 2014 as a public directory that linked PGP keys to verified social identities (Twitter, GitHub, websites). It grew into a full end to end encrypted communications platform with chat, group teams, encrypted file storage (KBFS), encrypted git repositories and Stellar wallet integration. In 2020, Keybase was acquired by Zoom Video Communications to bolster Zoom''s end to end encryption capabilities. Active product development has slowed since, but the service is still operational and the open source clients are still maintained.
Even with end to end encryption, Keybase processes substantial metadata: username, optional email, public PGP keys, identity proofs on social platforms, friend network and team memberships, device identifiers (one per install), IP address per session, message timestamps, file sizes and chat counts. The encrypted payloads of messages and files are stored on Keybase servers but cannot be decrypted by Zoom. The web client at keybase.io sets session and CSRF cookies during login.
Keybase processes personal data of EU residents (username, email, IP, social graph) and is therefore subject to GDPR. Since Zoom is established in the US, transfers to Zoom servers in the US must be addressed via Standard Contractual Clauses and the EU, US Data Privacy Framework. The metadata processed can be considered low risk on its own but reveals communication patterns and identity links that may be sensitive in certain contexts (journalists, activists, regulated professions).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For an individual signing up to Keybase, the lawful basis is contract performance (Art. 6(1)(b) GDPR), since the service is requested by the data subject. For organisations deploying Keybase to employees, contract performance and legitimate interest in secure communications are typical bases, with employee information requirements. For the web client cookies, the ePrivacy Directive applies and consent is required for non strictly necessary cookies.
Since 2020, Keybase has been operated by Zoom (US), with infrastructure on AWS in the US. This puts Keybase squarely in the US transfer category. Standard Contractual Clauses apply, Zoom is certified under the EU, US Data Privacy Framework, and the strong end to end encryption of message content offers a substantive supplementary measure. Run a Transfer Impact Assessment if you deploy Keybase for sensitive use cases.
For organisational use, sign the Zoom DPA (which covers Keybase), document Keybase in your record of processing activities, run a Transfer Impact Assessment for US transfers, inform users (employees or members), prefer device names that do not identify the bearer, avoid using Keybase identity proofs to link personal accounts to professional identities, and consider migrating to actively developed alternatives if you need long term roadmap certainty.
Websites using Keybase must obtain user consent under GDPR regulations.
DPIA considerations
Keybase processes username, email address, public PGP keys, social media verification proofs, friend network (who you chat with), team memberships, IP address per session, device identifiers (one per Keybase install) and metadata about chat (timestamps, message counts, file sizes), although the content itself is end to end encrypted. Key DPIA considerations: (1) since 2020 Keybase belongs to Zoom (US), inheriting Zoom's US transfer posture; (2) metadata can reveal social graphs and communication patterns even without message content access; (3) public verification proofs link accounts to social handles, making them searchable and aggregatable; (4) account deletion does not always remove all server side metadata immediately; (5) Keybase is no longer actively developed and the long term roadmap is uncertain.
Sample consent text
We use Keybase for end to end encrypted communications. While message content is encrypted client side, Keybase (owned by Zoom Video Communications, USA) processes metadata such as your username, IP address and contact graph in the United States under Standard Contractual Clauses and the EU, US Data Privacy Framework. You can revoke this access at any time by deleting your Keybase account.
Third-party domains contacted
keybase.ioapi.keybase.iokeybaseusercontent.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| session | Strictly Necessary | Session | Web client session cookie used to maintain authenticated state on keybase.io. |
| csrf | Strictly Necessary | Session | Cross site request forgery protection token for the keybase.io web interface. |
Keybase is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Keybase is primarily a desktop and mobile client. The web version at keybase.io sets session and CSRF cookies on the keybase.io domain only for authenticated users, not for anonymous visitors browsing public profiles. There is no third party tracking widget for customer websites.
For individuals signing up, consent is not the basis; the lawful basis is contract performance. For organisations deploying Keybase to employees, contract or legitimate interest applies and employees must be informed. Cookie consent applies to the web client at keybase.io.
Contract performance (Art. 6(1)(b) GDPR) for the messaging service itself, and legitimate interest (Art. 6(1)(f)) for security telemetry. Marketing communications from Zoom about Keybase products would require consent (Art. 6(1)(a)).
Yes. Since Zoom acquired Keybase in 2020, all infrastructure is operated by Zoom on AWS in the United States. Transfers rely on Standard Contractual Clauses and the EU, US Data Privacy Framework, where Zoom is certified.
A DPIA is recommended whenever Keybase is deployed by an organisation, especially for sensitive use cases (journalism, healthcare, legal, regulated industries). End to end encryption is a strong supplementary measure but metadata transfer to the US still merits documented assessment under Art. 35 GDPR.
For organisational use, sign the Zoom DPA, document Keybase in your record of processing activities, run a Transfer Impact Assessment, inform users in the workforce or member privacy notice, prefer non identifying device names, and consider end to end encrypted EU alternatives if you need full EU residency.
Element (Matrix protocol, can be self hosted in EU), Threema (Switzerland), Signal (US non profit), Wire (Switzerland and Germany), Olvid (France) and Tutanota (Germany) are end to end encrypted alternatives. For full EU residency and roadmap certainty, Element with EU hosting or Wire are the closest comparables.
State that Keybase (Zoom Video Communications Inc., USA) is the processor of communications and identity data, list the categories of metadata processed (username, email, IP, contact graph, device identifiers, message metadata) and note that message content is end to end encrypted, the legal basis, the retention, the US hosting and the transfer mechanism (SCCs, Data Privacy Framework).