# Trust & security — Keepstone

> How Keepstone handles data, AI, and incidents. Written down plainly so you can hold us to it. We operate inside your vendor accounts, never ours.

Source: https://keepstone.tech/security
Last modified: 2026-04-24

---

Trust & security

# Written down so you can hold us to it.

We're a small firm, not a Fortune-500 security program. This page says exactly what we do and don't do, so you can decide if we're the right fit for the system you want us to operate.

_●_ last reviewed january 2026 _●_ security@keepstone.tech

Posture · at a glance operating

### How we run.

Model

**Your accounts. Our operation.**

Data

Stays in your infrastructure. Never copied.

AI on code

Commercial tools, retention off.

AI on data

**Hard no.** Prod data never sent to models via us.

Incident SLA

Ack < 4h / < 15m with 24×7 rider.

Exit

30 days written notice. Your assets, your accounts.

Rev 2026.01 v4

01 · Ownership

You own it all.

Every account, repo, and vendor relationship is in your name. We're delegated members.

02 · Data

Doesn't leave.

We read what we need to operate. We don't copy, mirror, or train on your data.

03 · Access

Least privilege.

Logged, auditable, revocable in seconds. Rotated on personnel change.

04 · Incidents

Written, fast.

Acknowledged, resolved, and documented. Written disclosure within 24 hours of confirmation.

On this page

1.  [01Account model](#account-model)
2.  [02Data handling](#data-handling)
3.  [03AI & LLM policy](#ai-policy)
4.  [04Incidents](#incidents)
5.  [05Insurance & contracts](#insurance)
6.  [06Compliance posture](#compliance)

01 · Account model

## Your accounts. Our operation.

We operate inside your vendor accounts — never ours. No hostage scenarios, no surprise lock-in, no "you'd have to rebuild everything to leave."

Domain & DNS

#### In your registrar, in your name.

We get delegated access. Ownership is yours.

client-owned

Cloud / hosting

#### Billing account in your name.

We operate inside it with IAM roles you can revoke in 60 seconds.

client-owned

Source repository

#### GitHub org you own.

We're members; you can remove us, any day, without losing a line of code.

client-owned

Secrets & credentials

#### In a vault you own.

Provisioned in your name, rotated on engagement start and on personnel change. Access is scoped and logged.

client-owned

Third-party SaaS

#### Vendor relationships in your name.

Stripe, Supabase, Postmark, whatever. Billed to you, owned by you.

client-owned

02 · Data handling

## What we do with your data, in plain English.

**We see it**

To operate a system, we have to be able to read its logs, query its database, and inspect its traffic. We'll never pretend otherwise.

**We don't copy it**

Your data stays in your infrastructure. We don't mirror it to our systems, we don't train anything on it, we don't share it with anyone.

**Access is minimal & logged**

Principle of least privilege. Every action on production data is auditable after the fact, in logs you own.

**We follow your constraints**

If your data is subject to HIPAA, a client confidentiality regime, or a contractual handling rule, we work to it. We'll say so in writing as part of the engagement.

03 · AI & LLM policy

## How we use AI on your work.

We use AI-assisted development every day. Here is what that does and doesn't mean for your data.

Code assistance

#### We use commercial AI coding tools.

Claude, Cursor, Copilot, and similar. Configured to data-retention-off where the provider offers it. Never used on regulated data without explicit written permission.

_default on_

Your production data

#### Does not go to model providers via us.

We don't paste prod data into chat windows. When debugging requires data, we use synthetic fixtures or anonymized samples from staging.

_hard no_

LLMs in your system

#### When your system calls an LLM, you control the provider.

Contracts, retention settings, geographic region, and cost controls are in your name. We operate them for you; we don't own them.

client-owned

Prompt & eval hygiene

#### Included in Operations for LLM-bearing tools.

Prompt versioning, regression evals on meaningful changes, cost alarms, fallback paths when the model provider is down.

_included_

04 · Incidents

## What happens when something breaks.

Every tier has a defined response path. This is the shape of it — exact SLAs live in your engagement letter.

Detect

#### Automated monitoring pages on-call.

Uptime checks, error rate thresholds, synthetic transactions, backup failures.

_always on_

Acknowledge

#### You get an acknowledgement, fast.

Business-hours: within 4 hours. With 24×7 rider: within 15 minutes, any time.

_per SLA_

Respond

#### We start remediation and keep you informed.

Status updates every 30 minutes during active incidents, in a channel we agreed on day one (email, SMS, Slack).

_per SLA_

Disclose

#### Data or security events are disclosed quickly and in writing.

Initial written notice within 24 hours of confirmation. Full post-mortem within 5 business days. We err on the side of over-reporting.

_policy_

Learn

#### Post-mortems feed the practice.

Every major incident produces a written post-mortem, a follow-up action list, and a ship date for preventive work. We review them with you.

_always_

05 · Insurance & contracts

## The commercial posture.

E&O

Errors & omissions (professional liability) sized for our engagement book. Certificate available on request during scoping.

Cyber

Cyber liability coverage that includes incident response costs. Certificate available on request.

NDA

Mutual, two-way, industry-standard form that survives changes in firm structure or personnel. Signed before any engagement work begins.

Engagement letter

Every engagement runs on a written letter that names the principal, the scope, the price, the tier, any riders, the support/enhancement boundary, and the 30-day exit clause.

Subprocessors

A short written list of the third-party services we use on your behalf (hosting, monitoring, paging). Kept current; delivered as part of your engagement doc.

Exit clause

Either party can end the engagement with 30 days written notice. You keep everything: code, accounts, docs, runbooks. Transition plan delivered on request.

06 · Compliance posture

## Your platform runs on infrastructure built for the rules that apply to you.

#### ✓Infrastructure we operate on

*   SOC 2 Type II and ISO 27001 certified cloud providers (AWS, GCP, Azure, Cloudflare).
*   Managed databases, queues, and storage with documented encryption at rest and in transit.
*   Identity, logging, and backup services with verifiable audit trails.
*   Vendor subprocessors vetted for their own compliance posture before we add them.

#### ✓Frameworks we run to

*   HIPAA, for clients handling protected health information — BAAs in place up the stack.
*   PCI-DSS scope minimization, with tokenized processors for any payment flow.
*   State privacy laws (CCPA, CPA, and the rest) as they apply to your users.
*   Any industry or contractual regime your business is already bound by — named in writing in your engagement letter.

FAQ

## Frequently asked questions

What data of ours does Keepstone actually have access to?

Whatever access operating your system requires, and nothing more. In practice that usually includes source code, infrastructure configuration, error logs, monitoring data, and credentials to run releases and respond to incidents. We don't request or store production customer data unless operating the system specifically requires it. Access is read-only where it can be, audited continuously, and revocable at any time. We operate inside your accounts, not ours, so you can pull our access in minutes if you ever need to.

Do you train AI models on our code or our data?

No. We don't train models on client systems, period. The AI agents we use are operating on your code as they go — reading it, analyzing it, drafting changes — but no client data is used to train, fine-tune, or improve any model we run. We use commercial AI providers (Anthropic, OpenAI) under their business agreements, which prohibit training on submitted content.

Where is our data actually stored?

In your accounts. We deliberately operate inside your cloud, your repositories, your monitoring tools, and your credential vault — not ours. Runbooks, dashboards, and incident records live alongside the system. The only data Keepstone holds on our side is what we need to actually run the engagement: your contact info, billing, the contract, and the quarterly summaries we send you.

Are you SOC 2 / HIPAA / GDPR compliant?

Compliance posture depends on what your system requires. We routinely operate inside SOC 2-, HIPAA-, and GDPR-bound environments using your existing controls and our documented operational practices. If your engagement requires us to operate as a covered entity or business associate under HIPAA, or under a customer SOC 2 audit boundary, we work that into the contract during scoping. If we're not the right fit for a specific compliance requirement, we'll tell you that up front.

What happens if there's an incident — a breach, a data leak, an agent doing something it shouldn't?

Documented incident response runs through our framework on every account: detection, containment, communication, root-cause review, written post-mortem shared with you. For client-facing incidents, you're notified inside the timelines specified in your contract. If one of our agents takes an action that produced an unintended outcome, we treat that as serious: the agent is paused, an operator reviews what happened, and the lessons get pushed back into the framework before the agent runs again. We carry both cyber insurance and errors-and-omissions coverage on every engagement.

How is operator access locked down on your side?

Operator access to your systems is named, audited, and scoped. Every Keepstone person who can touch your environment is identified by name in your account audit logs. Access is reviewed quarterly. When an engagement ends, access is revoked within twenty-four hours and the revocation is documented. We don't share credentials between operators, and we don't operate from shared accounts.

Questions before you start?

## Ask anything on the intro call.

We'd rather over-answer security questions in fifteen minutes than under-answer them in a proposal. Bring your constraints, your auditors, your clients' contracts — we'll tell you what we can meet.

[Book a 15-min call →](start) [security@keepstone.tech →](mailto:security@keepstone.tech)