Last updated: June 2026
Keply handles customer-success data on your behalf, and we treat protecting it as core to the product. This page summarizes our security program. We are happy to share more detail, our security documentation, and a completed security questionnaire under NDA — contact [email protected].
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Integration access tokens are encrypted with an application-managed key and are never stored in plaintext. Secrets are kept in managed secret stores, never in source code.
Keply is multi-tenant. Data is isolated at the database layer with deny-by-default row-level security scoped to each organization, backstopped by organization scoping in the application. One customer's data is never accessible to another.
We follow least privilege. Administrative access to our systems requires multi-factor authentication, access is reviewed regularly, and it is removed promptly when no longer needed.
Our AI agent computes scores and drafts outreach, but a human stays in control: actions that contact your customers default to requiring your approval (the "autonomy dial"), and every agent action is recorded in an audit log. Data sent to our AI provider is processed under commercial terms that prohibit training on your data. See our Subprocessors.
Keply runs on Supabase (database, auth, storage) and Cloudflare (hosting, CDN, WAF) — providers that maintain their own SOC 2 and ISO 27001 attestations and handle physical and infrastructure security. We maintain managed backups with point-in-time recovery.
Changes go through peer-reviewed pull requests with automated checks before deployment, and database changes ship as versioned migrations. We monitor dependencies for known vulnerabilities.
We comply with the EU/UK GDPR and the Israeli Privacy Protection Law. See our Privacy Policy and Data Processing Addendum. We support data-subject requests and data deletion on termination.
Keply maintains an information-security program that has been designed, implemented, and is operated to align with the Trust Services Criteria for Security, Availability, and Confidentiality established by the American Institute of Certified Public Accountants (AICPA) for SOC 2. The design and operation of these controls are documented in our internal control matrix and assessed by us against those criteria.
These controls are self-assessed. Keply has not yet completed an independent third-party SOC 2 examination and does not represent that it holds a SOC 2 report, attestation, or certification. A SOC 2 report can be issued only by a licensed CPA firm following such an examination, which Keply intends to pursue. Nothing on this page should be construed as a statement that an independent SOC 2 audit has been performed.
Our current SOC 2 self-assessment, control matrix, and supporting security documentation are available to customers and prospective customers under a non-disclosure agreement. We will update this page promptly if and when an independent SOC 2 report is issued. To request our documentation, contact [email protected].
If you believe you have found a security issue, please email [email protected] with details. We appreciate responsible disclosure and will acknowledge your report.