Sub-processors
Every system Keel uses
to deliver the product.
Sub-processors process customer personal data on Keel's behalf under contracts that bind them to data-protection standards consistent with our DPA. The list below is current as of the date shown.
This list is a working draft for review. Several entries marked TBD reflect engineering vendor selections that are still finalizing. The published version will resolve TBDs and remove this banner.
Change notification policy
We provide at least 30 days' notice before adding or replacing a sub-processor. Notice is delivered in-product to admins and by email to designated security contacts. Customers may object on reasonable data-protection grounds and may exercise rights under the DPA where the objection cannot be resolved.
To subscribe to sub-processor change notifications, email privacy@keelflow.ai.
Infrastructure and platform
Sub-processors that host, store, or transmit customer data as part of the core Keel platform.
- Purpose
- Application compute and managed Postgres
- Data categories
- All customer data
- Processing location
- Region matching Workspace selection (us_east in v1)
- Terms
- GCP DPA with EU SCCs and UK addendum
- Purpose
- Marketing site hosting, transcript storage, edge delivery, network security
- Data categories
- Marketing site analytics, transcript mirrors, public assets
- Processing location
- Region-pinned R2 buckets; global CDN
- Terms
- Cloudflare DPA with EU SCCs and UK addendum
LLM providers
Keel routes prompts to LLM providers to power Vera. Customers configure their own provider and key per Workspace, or use Unfold AI as the default. Provider terms below reflect what we require regardless of which provider a Customer uses.
- Purpose
- Default LLM routing for new tenants
- Data categories
- Prompts and completions; no training on customer data
- Processing location
- Provider-defined; us_east-aligned for v1
- Terms
- Internal routing; provider terms inherited from underlying providers
- Purpose
- LLM completions per Customer-provided key
- Data categories
- Prompts and completions only; zero data retention available; no training when configured
- Processing location
- Provider-defined
- Terms
- OpenAI DPA, business tier zero-retention available
- Purpose
- LLM completions per Customer-provided key
- Data categories
- Prompts and completions only; no training on customer data by default
- Processing location
- Provider-defined
- Terms
- Anthropic DPA
- Purpose
- LLM completions per Customer-provided credential
- Data categories
- Prompts and completions only; no training on customer data per Vertex terms
- Processing location
- Provider-defined; region-aligned where supported
- Terms
- Google Cloud DPA
- Purpose
- LLM completions per Customer-provided key
- Data categories
- Prompts and completions only; no training on customer data per Azure OpenAI terms
- Processing location
- Provider-defined; region-aligned where supported
- Terms
- Microsoft Customer Agreement and Azure OpenAI service terms
Operational tooling
Sub-processors used for service delivery, monitoring, and customer communication. None receive operating data (Accounts, Opportunities, Activities, transcripts) under normal operation; some receive limited metadata as noted.
- Purpose
- Transactional email: invites, magic links, ritual reminders, alerts
- Data categories
- Email addresses, message contents, delivery metadata
- Processing location
- Provider-defined; aligned with Workspace region where possible
- Terms
- Provider DPA
- Purpose
- Application error monitoring and triage
- Data categories
- Stack traces, error context; PII filtered at the edge
- Processing location
- Provider-defined
- Terms
- Provider DPA
- Purpose
- Public uptime dashboard and incident notifications
- Data categories
- No customer data; only health-check responses
- Processing location
- Provider-defined
- Terms
- Provider DPA
- Purpose
- Marketing site analytics on keelflow.ai
- Data categories
- Page views, anonymized session data
- Processing location
- Provider-defined
- Terms
- Marketing site only; not used inside the Keel application
Identity providers (v1.1)
When a Customer enables SSO or SCIM in v1.1, the Customer's chosen identity provider becomes a sub-processor of authentication data. Keel does not select these on the Customer's behalf; the Customer brings their own.
- Purpose
- SSO authentication and SCIM user provisioning
- Data categories
- Authentication assertions and user provisioning records
- Processing location
- IdP-defined
- Terms
- Customer's existing contract with their chosen IdP
Customer-controlled integrations
The systems below are not Keel sub-processors; they are connections the Customer authorizes Keel to read from or write to. Data flows directly between Keel and these systems under the OAuth scopes the Customer grants. The Customer's existing relationship with each system governs the underlying data processing.
- CRMs: Zoho, HubSpot, Salesforce (deferred)
- Call tools: Gong, Chorus, Otter, Fireflies, Zoom, Microsoft Teams
- Slack workspace
- Calendar: Google Calendar, Outlook 365
Objecting to a sub-processor
A Customer may object to a new or existing sub-processor on reasonable data-protection grounds by writing to privacy@keelflow.ai within 30 days of notice. We will work in good faith to address the objection. If we cannot resolve it, the Customer may exercise rights under the DPA.