Trust Center

Security, privacy, and compliance at Keel.

Keel processes Protected Health Information on behalf of brokers, employers, and health plans. We hold ourselves to the posture every benadmin and carrier requires before integrating — and we publish the details here.

Last updated:June 1, 2026

Security questions:[email protected]

Status:View live status

SOC 2

Type II

HIPAA

Business Associate

BAA

Available on request

99.9%

Uptime target

Certifications and attestations

A snapshot of the frameworks Keel is audited against, plus the ones we’re actively pursuing. Reports and letters are available under NDA — ask security.

SOC 2 Type II

Active

Independent attestation that Keel’s controls over security, availability, and confidentiality are designed and operating effectively. Audited annually by a licensed CPA firm. Report available under NDA.

Auditor:Independent CPA firm·Scope:Security, Availability, Confidentiality

HIPAA · Business Associate

Active

Keel operates as a HIPAA Business Associate when handling Protected Health Information on behalf of brokers, employers, group health plans, or carriers. Administrative, physical, and technical safeguards are in place per 45 CFR Part 164.

Framework:HIPAA / HITECH·Role:Business Associate

Business Associate Agreement

Available

A BAA is executed with every covered entity and upstream business associate before PHI is exchanged. Keel’s standard BAA is available for review — ask security.

Default:Keel standard form·Negotiated forms:Welcome

HITRUST CSF

In progress

Keel is on the HITRUST CSF certification roadmap. We map current controls to the HITRUST control catalog and are working toward formal certification in support of carrier and health-plan integration requirements.

Target:r2 certification·Status:Readiness assessment

State privacy laws · GDPR

In scope

Keel honors data-subject rights under California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, and other state privacy frameworks, as well as GDPR for EU/UK data subjects where applicable. See the privacy policy for the rights matrix.

See:Privacy Policy

Insurance producer license

Active

Keel holds an entity insurance producer license in every state where we operate, which is what makes Amanda’s recommendations a first-class product output rather than generic decision support.

License:Entity producer·States:Per the brokerage of record

Operational controls

The day-to-day posture behind the certifications — what’s on, what’s logged, what’s encrypted, what’s reviewed.

Encryption in transit

TLS 1.2+ for all traffic between clients, Keel, and subprocessors. HSTS enforced on every public surface.

Encryption at rest

AES-256 for application data, object storage, and backups. Keys managed in a dedicated KMS with rotation.

SSO & SAML

Single sign-on with Okta, Google Workspace, and Microsoft Entra. SCIM-based provisioning available on enterprise plans.

Audit logs

Every PHI access, configuration change, and admin action is logged with actor, time, and request context. Exportable on request.

Least-privilege access

Role-based access control with tenant isolation. Production access is JIT-elevated, time-bound, and approved per session.

Backup & recovery

Encrypted daily backups with point-in-time recovery. Disaster-recovery runbooks are tested annually.

Vulnerability management

Continuous dependency scanning, SCA, and SAST in CI. Critical findings are triaged within one business day.

Penetration testing

Annual third-party penetration test against the platform and supporting infrastructure. Letter available under NDA.

Incident response

24x7 paging on production health, documented severity classification, and customer notification within HIPAA-required windows.

Subprocessors

The third parties Keel uses to operate the platform. Each is governed by a BAA where PHI is involved and a DPA where applicable. See the privacy policy for the canonical list.

Subprocessor	Purpose	Data category
Anthropic	Amanda’s language model (Claude)	PHI under BAA, with PHI redaction at boundary
Cloud infrastructure (primary)	Compute, storage, networking	All platform data under BAA
Database & managed services	Tenant database, queues, object storage	All platform data under BAA
Authentication	Identity, SSO, MFA	Identity metadata, no PHI
Observability	Error tracking, performance monitoring	Scrubbed telemetry, no PHI in payloads
Email & messaging	Transactional email, SMS, voice	Member contact data under BAA

Have a security or compliance question?

Send us a security questionnaire, request our SOC 2 report or pen-test letter, or ask about a specific control. We respond within one business day.

Email security → Talk to us