Trust & security

Your data stays in your cloud account.

When we build an AI system for you, it runs inside your own cloud account, on servers you control. Your documents are read and processed there. They are not copied to Kelsus, and they are not sent to any outside service. This page explains how that works, which security standards we meet today, and how we handle your information while a project is underway.

How it works

Where your data runs.

Four things are true on every project, whichever AI model we use and wherever your company operates.

01It runs in your account. We install the system into your own cloud account — for example AWS, Azure, or GCP — inside a private network that belongs to you. Kelsus does not run a shared service that holds your files.
02Your data is processed in that same place. The steps that read your documents and answer questions about them all run inside your private network. When the system searches your files or runs the AI model, none of your data is sent to an outside company.
03The AI model is copied in once, before launch. We use open-weight AI models, which means the model file is published and we run our own copy of it. We download that file into storage in your account during setup. After that, the model runs in your account, and your data stays there during normal use.
04We do not train on your data. Your documents, the questions people ask, and the answers the system gives are never used to train or improve any AI model, whether ours or another company's.

Security standards

Where we stand on certifications.

Some security standards come with an outside audit, where an independent auditor checks how a company works and writes a report. Others are sets of controls a company follows on its own, with no outside report yet. For each standard below, we say which kind it is, so you can see what someone other than Kelsus has checked.

01SOC 2 Type II: in progress. SOC 2 is a common security audit for software companies. A Type II report looks at how a company's security controls held up over a period of several months. (A Type I report looks at a single day.) We hired an outside auditor in June 2026, and the review period is underway. Once the report is ready, we will share it with you under a non-disclosure agreement, and we will post the dates on this page.
02HIPAA: we follow the controls and sign the required contract. HIPAA is the United States health-privacy law. There is no official HIPAA certificate that a company can earn. When a project involves medical records, we follow the security controls HIPAA calls for, and we sign a Business Associate Agreement, which is the contract HIPAA requires whenever an outside vendor handles health information.
03GLBA and FINRA: we follow controls that fit these rules. GLBA and FINRA are United States financial regulations that cover banks, lenders, and investment firms. The legal duty to follow them sits with your company. Our job is to build and run the system so it fits inside those rules. Whether your company meets them is your company's call to make.

During a project

How we handle your information.

These are our standard practices. We write them into the contract for every project.

01We work inside your account. We do the work in your cloud account, or in a separate test environment that your team sets up and approves.
02Our access is limited and temporary. We ask for permission only to the systems we need, and only for as long as the project runs. For example, the login we use to deploy the platform is removed on the last day.
03We delete test data when the project ends. Any data we use to test the system is deleted once the work is done.
04Your documents stay in your account the whole time. There is never a copy of your documents on a Kelsus computer to begin with.
05We hand everything over. At the end we give your team the running system, the test tools, and the keys. After that, Kelsus has no standing way into your account.

Sub-processors

Which outside companies handle your data.

A sub-processor is an outside company that handles data for us. Because your system runs in your own account, no sub-processor touches your data. The AI model, the search index, and the software that connects them all run inside your account, under your control.

To run our own business, meaning this website and our email newsletter, we use Amazon Web Services for hosting and email. That is separate from any customer project and never touches your data. If you would like the current list of outside companies we use, ask us and we will send it.

For your security team

Common questions.

Will you fill out our security questionnaire?

Yes. Send us your form and we will complete it. If you use a standard format such as SIG or CAIQ (two common security questionnaire formats), we can work from that as well.

Can we speak with a customer you have worked with?

Yes, when that customer agrees and signs off. We will introduce you to one whose situation looks like yours.

How do we report a security problem?

Email security@kelsus.com. That address reaches several people on our team, so a report does not wait on one person being available. We will reply within one business day and work through it with you. You can also use our contact form if you prefer.

Where does the system run?