Built in the EU. Secured for the EU.
Keloa is hosted in Amsterdam, encrypted end to end, and built from the ground up to satisfy the customer-data security requirements European SMBs and their regulators actually have.
The six things that matter, in plain language.
EU-hosted, end to end
Primary hosting in Amsterdam, with backups in Dublin. All on EU cloud infrastructure. No customer data leaves the EEA without an applicable transfer mechanism.
Encrypted in transit and at rest
TLS 1.3 on every connection. AES-256 encryption for data at rest. Per-tenant encryption keys, rotated quarterly. Backups encrypted with separate keys.
Access control with MFA + SSO
All Keloa staff access requires SSO and hardware-backed MFA. Production access is just-in-time, audited, and limited to a small on-call rotation.
Per-tenant isolation
Each customer's data lives in a logically isolated tenant with its own encryption keys, AI agent, knowledge base, and inbox. No cross-tenant queries, ever.
AI provenance and audit
Every AI reply is logged with the prompt, the cited sources, the model version, and the confidence score. Full audit log export available on Scale.
Penetration tested annually
Independent security testing by an accredited Dutch firm, with summary reports available under NDA. Rolling bug bounty for select researchers.
What to ask your procurement team for.
Found a vulnerability?
Email security@keloa.ai with details. We respond within one business day, fix critical issues within 72 hours, and credit reporters publicly (with consent) on every fix release.
Security questions, answered.
Where is our data stored?
In the EU. Primary hosting in Amsterdam, with backups in Dublin, on EU cloud infrastructure. No customer data leaves the EEA without an applicable transfer mechanism, and the default configuration has no transatlantic data transfers.
Is Keloa GDPR compliant?
Yes. Full Article 28 processor compliance, with a DPA available to every customer on every plan (including the free Starter tier), not gated to enterprise. Sub-processors are listed publicly with name, purpose, and region. All data subject rights (export, delete, portability) are built into the product.
Is the DPA included with every plan?
Yes, on every plan including the free Starter tier. You can read or download the DPA at /legal/dpa, or request a countersigned copy by email. No upgrade required, no negotiation needed for the standard text.
Is Keloa ISO 27001 or SOC 2 certified?
Not yet. ISO 27001 is on the roadmap with the audit kicking off Q3 2026 and target certification Q1 2027. SOC 2 Type II is planned after ISO 27001, with target completion 2027. Until certification, the controls and policies are in place and an architecture document is available under NDA for security reviews.
How is the data encrypted?
TLS 1.3 on every connection in transit. AES-256 for data at rest. Per-tenant encryption keys, rotated quarterly. Backups are encrypted with separate keys. Each customer is logically isolated, and cross-tenant queries are blocked at the model layer.
Who has access to our data on the Keloa side?
All staff access requires SSO and hardware-backed MFA. Production access is just-in-time, fully audited, and limited to a small on-call rotation. No engineer has standing access to your data; every read is logged and reviewed.
How is PII handled in AI requests?
Emails, phone numbers, IBANs, and card numbers are redacted before any AI request leaves the platform. Routing prefers EU endpoints where the model provider offers them. The full DPA covers the legal mechanisms (SCCs) that apply when any non-EEA processing is required. We do not train AI models on your data, ever.
Compliance team needs more?
We've handled procurement reviews from Dutch banks, Belgian insurers, and German enterprise IT, we'll handle yours. Book a demo or email security@keloa.ai.