EU-onlyRGPDEncryption · AES-256Audit-trail · 100%Frankfurt edge
Request a demo
PlatformSecurity
Security · compliance

Built on European rails. Audited end-to-end.

Kelo's stack runs entirely inside the European Economic Area. Every dependency, every byte at rest, every access decision — designed for institutional review.

Request security pack

Compliance checklist

EU-only data residency
RGPD / GDPR compliant
AES-256 encryption at rest
TLS 1.3 in transit
RBAC with audit trail
OAuth-managed integrations
01 · Data residency

Your portfolio stays in the EEA.

European Economic Area · Data residency boundary
Investor team
RBACRole-based access
TLS1.3 in transit
Kelo platform · EU only
FrontendVercel · Frankfurt
BackendFly.io · FRA
DatabaseSupabase EU · FRA
SecretsDoppler EU
At restAES-256
Tenant data
PSD2Open banking · BdE
AEATConsent-based
SSConsent-based
Non-EEA
No data egress
FRONTEND
Vercel · Frankfurt edge
BACKEND
Fly.io · FRA region
DATABASE
Supabase EU · point-in-time recovery
STORAGE
S3 EU + Supabase storage
Tenant data
Open Banking (PSD2), AEAT, Seguridad Social and any other sensitive sources are read directly from EU-based authoritative APIs. No data ever leaves the EEA. Sub-processors outside the EEA are not engaged.
02 · RGPD

RGPD by default, not by document.

DPA

Data processing agreement

Signed before any pilot. Includes sub-processor list, data flow diagrams, and incident notification SLAs. Available on request to legal teams under NDA.

PURPOSE

Purpose limitation

Tenant data is processed strictly for portfolio operations: tenant scoring, contract lifecycle, collections, and maintenance coordination. Never repurposed, never sold.

RETENTION

Retention controls

Tenant profile data deleted on lease termination + statutory retention period. PII separable on request. Backups expire automatically.

03 · Access control

Every action, reviewable.

RBAC

Role-based access control

Scoped roles per team member. Read, write, approve, and admin permissions assigned at the workflow level. Multi-tenant boundary enforced at the database row.

AUDIT

Immutable audit trail

Every action — agentic or human — written to an append-only log with user, timestamp, and source event. Replayable for compliance review.

LEAST-PRIV

Least-privilege defaults

New users start with read-only. Elevated permissions require explicit grants. Integration tokens are scoped to the minimum capabilities needed.

04 · Infrastructure

Engineered for review, not just uptime.

CRYPTO

Encryption everywhere

AES-256 at rest, TLS 1.3 in transit. Database-level encryption keys managed via cloud KMS, rotated quarterly.

AT RESTAES-256
IN TRANSITTLS 1.3
KEY ROTATIONQuarterly
SECRETS

Vaulted credentials

Integration tokens stored in Doppler EU. No long-lived service keys checked into code. OAuth refresh handled per-tenant.

VAULTDoppler EU
ROTATIONOAuth refresh
AUDITPer-token
UPTIME

Resilience by design

Multi-region failover within the EEA. Point-in-time database recovery. Postmortems on any incident touching tenant data.

SLA99.9% target
BACKUPPoint-in-time
FAILOVERMulti-region EEA
Security pack

Get the compliance documentation.

Send your security team. We respond with the full pack within one business day under NDA.

Request security pack

Or write us at investor@getkelo.com

What you'll receive
01Data Processing Agreement (DPA)
02Infrastructure summary
03RBAC specification
04Sub-processor list

Kelo uses cookies for analytics and to improve your experience. See the Privacy Policy.