About Services Industries Resources Contact
Book a Call
Home / Security
Legal

Our Security practices

Last updated: April 2026

Security is a first-class consideration in how we build, deploy, and operate AI automations for our clients. This page summarizes the practices we follow by default on every engagement.

01Infrastructure

  • All production workloads run on reputable cloud providers (AWS, GCP, or client-specified equivalent) with SOC 2 Type II certification.
  • Servers use modern, supported operating systems with automatic security patching.
  • All network traffic is encrypted in transit with TLS 1.2 or higher.
  • Data at rest is encrypted using industry-standard AES-256.

02Access controls

  • Role-based access control for every system we operate.
  • Multi-factor authentication required for all administrative access.
  • Principle of least privilege — engineers only have access to the systems they need.
  • Access is reviewed quarterly and revoked immediately on role change or offboarding.

03Data handling

  • We do not train third-party AI models on client data. Period.
  • Client data is logically isolated per engagement.
  • Data retention is configured per engagement — we keep only what is necessary for the service to function.
  • Data can be exported or deleted on request within 15 business days.

04Compliance

Default engagements operate on SOC 2-aligned workflows. For engagements in regulated industries (HIPAA for medical fleets, PCI for payment processing, etc.), we configure additional controls as part of scope. Signed Data Processing Agreements (DPAs) are standard.

05Secrets management

  • API keys, tokens, and credentials are stored in a dedicated secrets manager, never in code repositories.
  • Keys are scoped narrowly to the operations the agent actually performs.
  • Regular rotation on a defined schedule.

06Monitoring & auditability

  • Every agent action is logged with an audit trail — who/what/when.
  • We monitor for anomalous patterns and rate-limit aggressively.
  • Clients receive monthly activity summaries and can request ad-hoc audit reports.

07Vulnerability management

  • Dependencies are scanned continuously for known vulnerabilities.
  • Critical patches are applied within 72 hours of release.
  • Annual third-party penetration tests on production deployments.

08Responsible disclosure

If you believe you’ve found a security vulnerability in our systems or a client deployment we operate, please report it to ops@keresai.com. We acknowledge within 48 hours and work with reporters to validate and resolve issues quickly. We do not pursue legal action against good-faith researchers who follow responsible disclosure.

09Questions

We’re happy to share more detail with enterprise prospects and clients under NDA. Email ops@keresai.com.