.png)
.png)
SOC 2 Type II · HIPAA-compliant · independently audited.
Reports and live control status in our Trust Center →
The controls a compliance review looks for, in place on every plan.
Agents and MCP inherit the same HIPAA boundary as the rest of Keragon, with guardrails you set and can see.
The admin controls your IT and security teams expect, so automation never means losing oversight.
Pull our SOC 2 Type II report, review live control status, and see our subprocessors and data-processing agreement, all in our Vanta-powered Trust Center.
Security question or disclosure? See security.txt or reach our security team through the Trust Center.
Yes. Keragon is HIPAA-compliant and runs on healthcare-grade infrastructure built for protected health information. (We say HIPAA-compliant, not HIPAA-certified, because no such certification exists.)
Yes. A standard BAA is included on every paid plan, self-serve, with no sales call required. Custom BAAs are available on Enterprise.
Yes. Keragon holds a SOC 2 Type II attestation (issued together with HIPAA), independently audited. You can request the full report in our Trust Center.
PHI is encrypted in transit and at rest, and is never stored unless you explicitly configure a storage step. Every access, edit, and deletion is logged. Your data is never sold or shared.
No. Your data and configurations stay private to your organization and are never used to train, retrain, or improve any AI models, Keragon's or a provider's. Keragon's AI operates with zero data retention.
Agents are bounded: they act only within the tools and rules you set, connectors are read-only by default, sensitive actions can require human sign-off, and every action is logged and traceable to a specific user or agent.
You do. Access is managed with SSO, two-factor authentication, and role-based permissions, and connections can be scoped down to specific actions. Credentials are held centrally, never on a builder's device.
Yes. Keragon runs an annual external penetration test. The letter of attestation is available in our Trust Center.
On Amazon Web Services, with encryption at rest, restricted encryption-key access, and continuous security monitoring.
Yes. Business-continuity and disaster-recovery plans are established and regularly tested, and Keragon maintains cybersecurity insurance.
Core subprocessors include Amazon Web Services (hosting) and Google, among others. The full list and our data-processing agreement are in the Trust Center.
Customer data is deleted on offboarding, following our documented data-retention and data-classification policies.
Request our SOC 2 Type II (with HIPAA), HIPAA, and penetration-test reports, plus our BAA and MNDA, in the Trust Center. For security questions or disclosures, email security@keragon.com or see our security.txt.