Keelway
Sign in
Security & compliance

The security posture an enterprise broker procurement team expects.

Freight brokerages run on trust — with carriers, with shippers, and with the software that touches both. Keelway is built to clear the security review of a Fortune-1000 procurement team, not just a twelve-person SMB. This page is the public version of the security questionnaire we will fill out for you in detail under NDA.

Request security packetEnterprise overview

Compliance program at a glance

Where Keelway is today, in plain language. We do not claim certifications we have not earned, and we do not hide the gaps — enterprise procurement teams smell that from a mile away.

SOC 2

Type I in active build-out

Trust Services Criteria scope: Security, Availability, Confidentiality. Named external auditor engaged. Readiness assessment and target attestation date shared under NDA. Enterprise contracts include a credit-back commitment if the Type I target slips.
GDPR / CCPA

Article 28 DPA, service-provider terms

Standard Data Processing Agreement aligned with GDPR Article 28 obligations and CCPA service-provider terms. Available as an executable template or with mutual redlines. Subprocessor change notification with right-to-object on enterprise.
ISO 27001

Aligned, not yet certified

Internal controls modeled on ISO 27001 Annex A. Certification is on the post-SOC-2 roadmap; not currently in scope for audit. Customers who require an ISO-certified vendor should flag that at discovery.
HIPAA

BAA on request, scope-gated

Business Associate Agreement available where freight scope is healthcare-adjacent (hospital supply, clinical-trial logistics). Negotiated on a per-engagement basis with scope defined in the BAA itself.

Identity and access management

Every enterprise tenant supports the identity primitives a modern security team expects:

  • SAML 2.0 and OIDC SSO — validated against Okta, Microsoft Entra ID (Azure AD), Google Workspace, and JumpCloud. Custom IdPs supported on request.
  • SCIM 2.0 user provisioning — automated creation, update, and deactivation. Deactivating a coordinator in your IdP removes them from Keelway within minutes.
  • Role-based access control (RBAC) — pre-built roles for broker, team lead, ops manager, billing admin, and read-only auditor. Custom roles with per-resource scope on loads, carriers, rates, and TMS write-back.
  • IP allowlisting — dashboard access restricted to customer-supplied CIDR ranges on enterprise tenants.
  • Session management — configurable session lifetime, mandatory MFA for admin roles, forced re-authentication for sensitive actions (TMS credential changes, billing, integration setup).

Encryption and data handling

Data is encrypted in transit (TLS 1.2 or higher on every customer connection, with HSTS preload submitted) and at rest (AES-256 on all Postgres, S3, and Redis storage). Sensitive carrier-side fields (EIN, banking details, SSN where collected for carrier setup) carry a second layer of application-level field encryption keyed to the tenant.

Customer data is never used to train shared foundation models or shared retrieval indexes. Every enterprise tenant runs against an isolated retrieval index scoped to its own data. Our LLM provider contracts (Anthropic, OpenAI) explicitly opt out of training-data use under enterprise terms.

Infrastructure and reliability

Keelway runs on AWS, with the following posture for enterprise tenants:

  • Primary region: us-east-1 by default; us-west-2 and ca-central-1 available on contract.
  • Dedicated tenant infrastructure for enterprise customers — isolated VPC, isolated database, isolated retrieval index, no shared model surfaces.
  • Backups: point-in-time recovery on Postgres (35-day window), cross-AZ replication, daily snapshots retained 30 days, weekly snapshots retained 12 months.
  • Uptime SLA: 99.9% monthly on the carrier-email ingestion path and the operator dashboard, with service credits (10% below 99.9%, 25% below 99.0%, 50% below 95.0%).
  • Status page: public, real-time, with email and webhook subscriptions for enterprise customers.

Audit logs and observability

Every meaningful action — logins, accepted carriers, overridden trust scores, TMS write-backs, role changes, integration setup changes — is captured to an immutable audit log. Enterprise tenants can stream audit logs to Splunk, Datadog, Sumo Logic, or any S3 bucket they own, in near-real-time. Retention is configurable to customer policy (12 months minimum, 7 years available).

Penetration testing and vulnerability management

Independent third-party penetration testing conducted annually by a CREST-certified firm; most recent test summary available under NDA for prospective enterprise customers. Continuous automated vulnerability scanning on every deployed artifact (SAST, SCA, container image scanning, infrastructure-as-code scanning). Private bug bounty program for select security researchers, with a published responsible disclosure policy at /security/disclosure.

Incident response

24/7 on-call rotation with a 15-minute acknowledgment SLA for P0 and P1 incidents. Enterprise customers are notified within 24 hours of any incident affecting their data, with a written preliminary report within 72 hours and a full post-mortem within 5 business days. We maintain a Slack Connect or Microsoft Teams shared channel for incident communication with each enterprise account.

Subprocessors

Public subprocessors as of the current quarter:

  • AWS — compute, storage, networking (us-east-1 primary, additional regions on contract)
  • Cloudflare — edge, DNS, WAF, DDoS protection
  • Google — Gmail OAuth API (inbox integration); Workspace SSO where the customer uses Workspace
  • Anthropic — LLM inference for the parser and ranking pipeline; no customer data used for model training under our enterprise terms
  • OpenAI — secondary LLM inference for redundancy; same training-opt-out terms
  • Stripe — billing and payment processing only; no carrier or shipper data
  • Postmark — transactional email delivery (account notifications, alerts) only

Full list with data flows, geographic processing locations, and processing purpose available under NDA on request. We provide 30 days' notice before any subprocessor addition, with a right-to-object on enterprise contracts.

Responsible disclosure

Security researchers can report vulnerabilities to security@keelway.com with PGP encryption available. We commit to acknowledging within 48 hours, triaging within 5 business days, and remediating Critical / High issues within 30 days. We do not pursue legal action against good-faith researchers operating within our disclosure policy.

Frequently asked questions

What is your SOC 2 status?+

Keelway's SOC 2 program is in active build-out under a named external auditor. We can share the current readiness assessment, the Trust Services Criteria scope (Security, Availability, Confidentiality), and a target Type I attestation date under NDA. Enterprise customers signing before attestation receive a contractual commitment that SOC 2 Type I is delivered within the trailing 12 months of the contract, with credit-back terms if the target slips.

Where is customer data stored?+

AWS us-east-1 by default for all customers. Enterprise customers can request a dedicated tenant in us-west-2 or ca-central-1 at no additional cost. EU data residency (eu-west-1, eu-central-1) is on the 2026 roadmap and unlocked for confirmed enterprise pipeline. Data never leaves the chosen region outside of audited replication windows for disaster recovery.

How is data encrypted?+

In transit: TLS 1.2 or higher on every connection, with HSTS preload submitted and certificate pinning available for enterprise tenants. At rest: AES-256 on all customer data, including Postgres tables, S3 object stores, and Redis caches. Application-level field encryption for the most sensitive carrier-side identifiers (EIN, banking, SSN where collected for carrier setup).

What is your subprocessor list?+

Public subprocessors as of the current quarter: AWS (compute and storage), Cloudflare (edge and WAF), Google (Gmail OAuth API for inbox integration, Workspace SSO for some customers), Anthropic and OpenAI (LLM inference; no customer data used for model training under our enterprise terms), Stripe (billing only), Postmark (transactional email only). Full list with data flows and processing purpose available under NDA on request. We provide 30 days' notice before any subprocessor addition, with a right-to-object for enterprise customers.

Do you train AI models on customer data?+

No. Customer carrier emails, rates, trust scores, and TMS data are never used to train shared foundation models or shared retrieval indexes. Every enterprise tenant runs against an isolated retrieval index scoped to its own data. Our LLM provider contracts explicitly opt out of training-data use.

What scopes do you request on Gmail?+

The minimum required to triage carrier emails: gmail.modify for label management on triaged carrier replies, gmail.readonly for reading inbound carrier emails on monitored threads. We do not request gmail.send unless the customer explicitly enables automated reply drafting (off by default). Scopes are reviewed under Google's Restricted Scopes verification process.

How do you handle security incidents?+

All security events route to a 24/7 on-call rotation with a 15-minute acknowledgment SLA for P0 / P1. Enterprise customers are notified within 24 hours of any incident affecting their data, with a written preliminary report within 72 hours and a full post-mortem within 5 business days. We maintain a public status page for availability incidents at status.keelway.com.

What about penetration testing?+

Independent third-party penetration test conducted annually by a CREST-certified firm. Most recent test summary available under NDA for prospective enterprise customers. We also run continuous automated vulnerability scanning on every deployed artifact and run a private bug bounty for select security researchers.

Do you sign DPAs and MSAs?+

Yes. Standard DPA template aligned with GDPR Article 28 obligations and CCPA service-provider terms, executable as-is or with mutual redlines. MSA template covers liability caps, indemnification, IP, and termination — built to clear most Fortune-1000 brokerage procurement reviews. BAA available where freight-data scope is healthcare-adjacent. Mutual NDA signed before any document exchange that requires it.

Security review on the agenda?

Send us your questionnaire. We'll send it back filled in.

Request security packet

Related

Enterprise overview

The deployment, support, and contracting posture for 3PLs and brokerages running 10,000+ loads / month.

Privacy policy

How Keelway collects, uses, and protects data — Gmail OAuth scope, FMCSA carrier lookups, retention, and rights.

Terms of service

Commercial terms governing use of Keelway and keelway.com.