Built for Canadian pension-fund procurement.

Model risk is our first-class concern. The decision layer is deterministic and traceable; language-model outputs are confined to narrow, auditable roles and never produce portfolio weights.

Every model in use has a validation file, a monitoring plan, and a retirement date. Dissents are logged, not argued. Challenge is structural, not ad-hoc.

Per-tenant AWS accounts, schema-validated inter-component boundaries, circuit breakers, and bounded retries are contractual — not aspirational. Incident response has named handoffs.

The system declares degraded states rather than continuing on best-effort. Anomalies return control to a human operator at clearly defined thresholds.

Investment-policy adherence and board-level accountability are preserved. Keelpilot configures to your Investment Policy Statement; it does not reinterpret it.

Human sign-off on every committed allocation is a contractual term. The memo the IC signs is reproducible from the archive.

We collect only what is required. Analytics on this site is cookie-less. Demo-intake records are retained for the minimum period necessary to serve the enquiry and meet contractual obligations.

Personal information handling follows PIPEDA fair-information principles. Access, correction, and deletion requests are honoured within statutory timelines — write to contact@keelpilot.com.

Controls are documented, reviewed, and mapped to the Trust Services Criteria. SOC 2 Type I posture is current; Type II is on roadmap.

The attestation is shared under NDA as part of the procurement pack.

Canadian data residency by default. Deployment to other AWS regions is available for funds with specific tenancy requirements.

Data at rest is encrypted with keys scoped to the tenant account. Data in transit is TLS 1.2+ throughout.

Source escrow, right-to-audit, and termination-for-convenience clauses are available on request. Procurement teams see these terms often enough to know which vendors actually agree to them.