We've raised a total of $10.5M to bring automation to healthcare.
Read more
Security & compliance

Healthcare-grade security, in everything you automate.

Keragon runs on HIPAA-compliant, SOC 2 Type II infrastructure. Your workflows, agents, and AI tools act on PHI under a BAA, with encryption, scoped access, and a full audit trail, on by default.

SOC 2 Type II  ·  HIPAA-compliant  ·  independently audited.
Reports and live control status in our Trust Center →

How we protect your data

Built for PHI from the ground up

The controls a compliance review looks for, in place on every plan.

BAA on every paid plan
A standard Business Associate Agreement is included on every paid plan, self-serve, with no sales call. Custom BAAs on Enterprise.
SOC 2 Type II
Independently audited against the SOC 2 Type II framework, with continuous control monitoring.
Encrypted end to end
AES-256 at rest and TLS 1.2+ in transit. Credentials are stored in an encrypted secrets store, never in plain text.
SSO, 2FA & roles
Single sign-on, two-factor authentication, and role-based permissions on every plan, no per-seat cost.
PHI-aware audit logs
Every access, edit, and deletion of PHI is logged and replayable, so you always have a record of who did what.
Your PHI stays yours
PHI is processed in transit and never stored unless you explicitly configure it. It is never sold and never used to train models.
AI & agent trust

AI you can actually give access to

Agents and MCP inherit the same HIPAA boundary as the rest of Keragon, with guardrails you set and can see.

Bounded agents
Agents act only within the tools and rules you set. They cannot reach anything you have not granted.
Human-review checkpoints
Require sign-off on the actions that matter. The agent shows its plan and waits for you.
Read-only by default
Connectors are read-only until you grant write access, scoped to the exact actions you allow, per connector.
Every action traceable
Each agent and MCP tool call is logged and traceable to a specific user or agent, in a HIPAA audit trail.
Never trained on your data
Your data and PHI are never used to train, retrain, or improve any AI model, Keragon's or a provider's. Zero data retention for AI.
You choose the model boundary
AI runs under the same BAA and healthcare-grade infrastructure as everything else on the platform.
Access & governance

Control who touches what

The admin controls your IT and security teams expect, so automation never means losing oversight.

SSO & role-based access
Single sign-on plus view / build / manage roles, so people only get the access their job needs.
Connector- & action-level scoping
Restrict not just which apps an automation can use, but which specific actions inside them, down to read vs write.
Managed connections
Credentials are held centrally in an encrypted store, so builders connect systems without ever seeing the keys.
Immutable audit trail
Every workflow run, agent action, and connection change is recorded in an activity log you can review anytime.
Real-time monitoring
Execution monitoring with automatic retries and alerts, so failures surface instead of silently passing.
Read-only-first connectors
300+ healthcare integrations default to read-only, so a new connection can't change data until you say so.
Trust Center

Everything, in one place.

Pull our SOC 2 Type II report, review live control status, and see our subprocessors and data-processing agreement, all in our Vanta-powered Trust Center.

Security question or disclosure? See security.txt or reach our security team through the Trust Center.

FAQ

Security questions, answered

Is Keragon HIPAA-compliant?

Yes. Keragon is HIPAA-compliant and runs on healthcare-grade infrastructure built for protected health information. (We say HIPAA-compliant, not HIPAA-certified, because no such certification exists.)

Do you sign a BAA?

Yes. A standard BAA is included on every paid plan, self-serve, with no sales call required. Custom BAAs are available on Enterprise.

Is Keragon SOC 2 certified?

Yes. Keragon holds a SOC 2 Type II attestation (issued together with HIPAA), independently audited. You can request the full report in our Trust Center.

How is my patients' PHI handled?

PHI is encrypted in transit and at rest, and is never stored unless you explicitly configure a storage step. Every access, edit, and deletion is logged. Your data is never sold or shared.

Do you use my data to train AI models?

No. Your data and configurations stay private to your organization and are never used to train, retrain, or improve any AI models, Keragon's or a provider's. Keragon's AI operates with zero data retention.

Is it safe to give an agent access to my systems?

Agents are bounded: they act only within the tools and rules you set, connectors are read-only by default, sensitive actions can require human sign-off, and every action is logged and traceable to a specific user or agent.

Who controls access to our data?

You do. Access is managed with SSO, two-factor authentication, and role-based permissions, and connections can be scoped down to specific actions. Credentials are held centrally, never on a builder's device.

Is Keragon penetration tested?

Yes. Keragon runs an annual external penetration test. The letter of attestation is available in our Trust Center.

Where is my data hosted?

On Amazon Web Services, with encryption at rest, restricted encryption-key access, and continuous security monitoring.

Do you have disaster recovery and business continuity?

Yes. Business-continuity and disaster-recovery plans are established and regularly tested, and Keragon maintains cybersecurity insurance.

Who are your subprocessors?

Core subprocessors include Amazon Web Services (hosting) and Google, among others. The full list and our data-processing agreement are in the Trust Center.

What happens to our data if we stop using Keragon?

Customer data is deleted on offboarding, following our documented data-retention and data-classification policies.

How do I request a report or reach your security team?

Request our SOC 2 Type II (with HIPAA), HIPAA, and penetration-test reports, plus our BAA and MNDA, in the Trust Center. For security questions or disclosures, email security@keragon.com or see our security.txt.

Automate on secure ground.

Get started with a BAA and healthcare-grade security from your very first workflow.

SOC 2 Type II · HIPAA-compliant · BAA on every paid plan