Keelpilot
Request a demo

Security

Security posture and responsible disclosure.

This page is the public-facing short form of our security posture. Procurement teams receive the full control inventory and SOC 2 attestation under NDA.

Disclosure contact

We welcome good-faith security research. Send reports to contact@keelpilot.com. A machine-readable copy is at /.well-known/security.txt (RFC 9116).

Initial acknowledgement within one business day. Remediation timelines depend on severity and are communicated case by case.

Scope

In scope: keelpilot.com, the demo-intake endpoint, and any other public-facing endpoints under this domain.

Out of scope: denial-of-service testing, volumetric load generation, social engineering of staff or customers, physical attacks on AWS infrastructure, third-party services we do not operate, and any activity targeting customer tenants.

Safe harbor

Research conducted in good faith, within scope, without exfiltration or disruption, will not result in legal action initiated by Keelpilot. Make a good-faith effort to avoid privacy violations and service disruption; stop and notify us if you encounter personal data.

Infrastructure posture

  • AWS-native, per-tenant account model.
  • Canadian data residency (ca-central-1) by default.
  • TLS 1.2+ in transit; encryption at rest with tenant-scoped keys.
  • Schema-validated boundaries between internal components.
  • Circuit breakers, bounded retries, and named incident handoffs.
  • SOC 2 Type I posture; Type II on roadmap.
  • Source escrow, right-to-audit, and termination-for-convenience available on request.
Talk to us under NDA