Security isn't a feature. It's the architecture.
Keystone is built to be a trust layer for other companies' most sensitive data, so we engineer for isolation, encryption, and auditability at every layer.
Compliance roadmap, planned for the future, not yet pursued or held.
Defense in depth
Six guarantees that run through every layer.
Tenant isolation
Every record is tenant-scoped; cross-tenant access is impossible by construction.
Encryption everywhere
TLS 1.2+ in transit, AES-256 at rest, field-level encryption for secrets.
Strong authentication
MFA, passwordless, enumeration-safe flows, rotating refresh tokens.
Least-privilege keys
Scoped API keys, shown once, revocable instantly, fully audited.
Tamper-evident audit
Every sensitive action logged with actor, target, tenant, and trace id.
Fail-safe by design
Fail-closed authorization, hard spend caps, and load-shedding.
Application security
Secure-by-default APIs with strict validation and predictable failure modes.
- RFC 9457 problem+json errors with stable codes, no leaky stack traces
- Strict input validation (Zod schemas) on every endpoint
- Layered rate limiting (IP, IP+email, per-key) with 429 + Retry-After
- Idempotency keys on every mutation to prevent duplicate side effects
- Fail-closed authorization on sensitive capabilities
Infrastructure security
Hardened edge and isolated compute, fronted by a global WAF.
- Cloudflare edge: WAF, DDoS protection, and bot mitigation
- TLS everywhere with modern cipher suites
- Network isolation between services and datastores
- Automated backups with point-in-time recovery
- Region-pinned data storage
Data protection
You own your data, we give you the controls and guarantees to prove it.
- AES-256 encryption at rest; envelope-encrypted field secrets (TOTP, keys)
- GDPR data export and deletion, per-org and per-end-user
- Configurable retention and audit-log export to your object store
- Minimal data collection, we never sell your data
- Documented sub-processor list with change notifications
Identity & access
Defense in depth for the people and machines touching your tenant.
- TOTP MFA with recovery codes and passwordless sign-in
- Rotating refresh tokens with reuse detection (auto-revoke all sessions)
- Scoped, prefixed API keys with one-time secret reveal
- Role-based access (owner/admin/billing/developer/member/viewer)
- Sign-out-everywhere and per-session controls
Monitoring & response
We see what happens, attribute it, and act fast.
- Tamper-evident audit logs across every service
- Correlation ids propagated across service boundaries
- Operator actions are attributed and recorded
- Anomaly + quota alerting with hard spend caps
- Documented incident response with coordinated disclosure
Security FAQ
How is data isolated between tenants?+
Every record carries its organization id and all queries are scoped server-side. There is no code path that returns another tenant’s data, isolation is enforced by construction, not convention.
Will you support SSO and SCIM?+
SAML/OIDC SSO and SCIM provisioning are on the roadmap for enterprise plans at launch. Join the waitlist if this is a requirement and we’ll keep you posted.
Can I get a DPA and a security package?+
We’ll provide a Data Processing Agreement, sub-processor list, and security documentation at launch. Reach out and we’ll share our current posture.
How are secrets like API keys and MFA handled?+
API key secrets are shown exactly once and stored only as hashes. TOTP secrets are field-encrypted with envelope keys. Refresh tokens are hashed at rest.
Security questions before you commit?
Evaluating Keystone for your team? We're happy to walk through our architecture and answer security or due-diligence questions ahead of launch.