Built to be operated inside the most regulated environments in the world.

Every customer runs in a cryptographically isolated tenant — no shared application state, no shared keys, no shared evidence chain.

• Per-tenant logical isolation enforced at API gateway, orchestrator, and storage tier
• Per-tenant encryption keys derived from tenant-bound key material (KMS / HSM-backed)
• Cross-tenant access requires a signed authorization manifest and is logged as a high-severity event
• Tenant deletion is cryptographic — keys are destroyed first, blobs are zeroized within 24h

TLS 1.3 everywhere in transit. AES-256-GCM at rest. Customer-managed keys supported across SaaS, single-tenant cloud, on-prem and air-gapped.

• TLS 1.3 only — TLS 1.2 is deprecated for new tenants, with mTLS available for high-trust integrations
• AES-256-GCM for at-rest data · KMS-fronted envelope encryption with per-object DEKs
• BYOK and HYOK supported via AWS KMS, Azure Key Vault, GCP KMS and HSM (Thales / Entrust)
• FIPS 140-3 validated cryptography modules available for federal-aligned deployments

Every operator action, every API call, every evidence-chain write — append-only, signed, and exportable to your SIEM.

• Tamper-evident audit log written to append-only WORM storage, signed per-event
• Real-time streaming to customer Splunk / Sentinel / Chronicle / S3 via native sink
• Retention defaults to 7 years; configurable per-tenant up to indefinite
• Independent operator-action visibility — KeenSafe staff actions are logged in the customer-visible audit feed

Tenant data, evidence, and processing stay in the region you select. Sovereign-cloud overlays for EU, UK, US, AU, and federal-aligned environments.

• Region pinning enforced at orchestrator and storage layers — data never crosses region without explicit policy
• Sovereign-cloud patterns supported: Bleu (FR), Delos (DE), GCC-High (US-Fed), IL5 / IL6 paths
• Single-tenant deployment available in any AWS / Azure / GCP region
• On-prem and air-gapped options for environments that cannot egress to a vendor cloud

You decide what is retained, for how long, and what gets purged. Cryptographic deletion is the default.

• Configurable retention per data class: scope inventory, attack-path evidence, audit logs, identity metadata
• GDPR Art. 17 / CCPA right-to-delete supported within SLA — surfaced via tenant admin console
• Cryptographic erasure available for high-sensitivity datasets — key destruction precedes data deletion
• Backup and DR copies inherit the source retention class — no retention drift

Fine-grained roles, scoped tokens, short-lived credentials and SSO-everywhere — including for KeenSafe staff access.

• Native SSO via SAML 2.0 and OIDC — Okta, Entra ID, Ping, Auth0, JumpCloud
• Just-in-time provisioning + SCIM 2.0 for user lifecycle automation
• Granular role catalog with 24 built-in roles; custom roles defined via policy DSL
• Phishing-resistant MFA required for admin roles — FIDO2 / WebAuthn (passkeys), TOTP fallback

Every API call is authenticated, signed, rate-limited and scope-bound. The platform exposes nothing more than it needs to.

• OAuth 2.1 with mTLS-bound tokens · short-lived access tokens (15m default) with refresh rotation
• Per-endpoint scope enforcement · token capabilities cannot exceed their grant
• Rate limiting + DDoS protection at the edge · request signing on high-risk endpoints
• OWASP API Security Top 10 mapped to platform controls and re-validated quarterly

No agents required for discovery. Validation is read-only by default. Exploit-grade payloads only execute against written-authorized scope.

• Default-deny on any execution that could cause downtime — promoted to "verify only" mode
• Production-safe validation primitives: read-only enumeration, topological proof-of-reach, sandboxed payload replay
• OT and clinical exclusion lists honored at the orchestration layer — never sent to operators
• Per-run sign-off workflow for any path that crosses a designated critical-asset boundary

Authorized scope is a first-class object. The platform refuses to run against any asset that is not explicitly in scope.

• Written authorization manifest binds every engagement to allowed asset classes, regions, and operators
• Per-asset scope checks at the orchestrator — out-of-scope assets are silently dropped from the run
• Scope changes require multi-party authorization and are logged with reason codes
• Customer-side scope-revocation API — pull a scope and every operator is denied within 60 seconds

DPA, SCCs, BAAs, and procurement collateral ready before the first call with your legal team.

• Standard Contractual Clauses (EU SCCs 2021/914) executed at order time
• HIPAA Business Associate Agreement available for US healthcare deployments
• DPIA template + Transfer Impact Assessment ready to share under NDA
• No customer data is used to train AI models · evidence chain is customer-scoped only

Independently attested and audit-ready for the frameworks your auditors and regulators care about.

• SOC 2 Type II · SOC 3 public report · refreshed annually
• ISO/IEC 27001:2022 · ISO/IEC 27017 (cloud) · ISO/IEC 27018 (PII)
• PCI DSS 4.0 SAQ-A (for tenants processing card data context only — KeenSafe never stores PAN)
• HIPAA Security Rule, GDPR Art. 32, NERC CIP-014 evidence acceptance, IEC 62443-3-3 alignment

Zero-trust internal architecture, hardware-key-bound operator access, signed evidence chain end-to-end.

• Internal services use mTLS + SPIFFE workload identities — no shared secrets at the service boundary
• Operator access brokered through a zero-trust gateway with FIDO2 hardware keys and session recording
• Evidence is signed at point of generation; chain-of-custody is verifiable end-to-end
• Quarterly independent penetration tests on the platform itself · summary letter available under NDA