Keelson

Security & operationsbuilt into every app

Authentication, isolation, backups, and monitoring come standard —so even AI-generated internal apps can be deployed and run safely.

Built-in protections

Every app gets the following security features automatically. No code changes required.

Org login

Require organization account authentication, preventing unrestricted access from outside your team.

App isolation

Each app runs in its own isolated runtime and network, preventing any app from affecting another.

Access control

Control which members can access each app, and restrict access to approved networks with IP allowlisting.

Backups

Automatic daily backups with the ability to restore to a previous state after failures or mistakes.

Monitoring

Resources are continuously monitored. Anomalies trigger automatic alerts to the Keelson operations team.

Encryption

All traffic, stored data, and secrets are encrypted to prevent eavesdropping and data leaks.

Defense in depth

No single layer to bypass. Authentication, restriction, and isolation are stacked to protect your apps.

External Access
1 Edge Protection (DDoS / WAF / HTTPS)
2 Authentication (SSO)
3 IP Restriction
4 Network Isolation
5 Sandbox Isolation
Your App
1

Edge protection

Automatic DDoS mitigation, WAF filtering of malicious requests, and enforced HTTPS. Malicious traffic is blocked before it ever reaches your app.

2

Authentication

Keelson's authentication is automatically applied to every app. SSO via Google and Microsoft accounts, per-app member control. No auth code needed in your app.

How authentication works →
3

IP restriction

Allow access only from approved networks. Unauthorized networks are blocked before reaching the login page. Remote workers can connect via VPN.

4

Network isolation

Apps are reachable only through the authenticated gateway. Inter-app network traffic is blocked. Outbound connections can be restricted by hostname — so even if AI writes code that accidentally sends data externally, Keelson blocks it.

Network architecture details →
5

Sandbox isolation

Each app runs in a sandboxed environment with kernel-level isolation. Direct access to the host kernel is blocked, least-privilege principles are enforced, and auth credentials are stripped by the proxy before reaching the app.

Data protection

Your business data is protected and always recoverable.

Encryption

  • At rest — Cloud-standard encryption for disks, databases, and object storage
  • In transit — TLS for external traffic; database connections also encrypted
  • Secrets — Environment variables (API keys, etc.) are encrypted before database storage

Backups & restore

  • Daily automatic — Data is backed up every day
  • Manual — On-demand backups before major changes (Plus plan and above)
  • Restore — Recover from any past backup point
  • Database — Point-in-time recovery via managed DB

Storage

  • Persistent storage per app
  • Data preserved across redeployments

How we handle your data

How your data is protected on the Keelson platform.

Data isolation

  • - Storage and network are isolated per app
  • - Apps cannot access each other's data
  • - Member access is configured independently for each app

Log privacy

  • - Auth headers, cookies, and session tokens are automatically masked during log collection
  • - Your credentials do not persist in platform-side logs by design

Logs explicitly output by your app are not subject to masking.

Keelson operator access

  • - Infrastructure is managed with the minimum access required for operations
  • - Access to customer app data is limited to incident response and similar cases
  • - Administrative actions are logged
  • - Your data is never used for model training, AI training, or marketing

Data residency

  • - All data is stored in the Tokyo region (Japan)
  • - Underlying cloud providers hold SOC 2, ISO 27001, and other certifications

Shared responsibility model

What Keelson handles, and what you own.

Your only job is to provide the app code. Keelson handles infrastructure security and operations.

Authentication & Access

Keelson: Auto-applied auth for all apps, member management

You: Managing member additions and removals

Network

Keelson: External access control, inter-app isolation

Isolation & Permissions

Keelson: Sandbox execution, least-privilege enforcement

Encryption

Keelson: At-rest and in-transit encryption, secret protection

You: Configuring secrets correctly

Backups & Recovery

Keelson: Daily backups, infrastructure recovery

You: Requesting recovery when needed

Infrastructure Ops

Keelson: Monitoring, auto recovery, security patches

Application Code

You: Input validation, authorization logic, sensitive data handling

Verifying the logic in AI-generated code (calculation errors, missing authorization checks, etc.) is your responsibility. Keelson defends the outside of your app but does not guarantee behavior inside it.

Operations & incident response

Keelson provides the operational foundation so your apps keep running.

Monitoring & auto recovery

  • - Continuous monitoring of CPU, memory, and disk usage
  • - Continuous health checks for all apps
  • - Automatic restart on failure detection
  • - Automatic migration and repair on node failure

Incident response

  • - Automatic alerts to the Keelson operations team on anomaly detection
  • - Initial triage and recovery handled by Keelson
  • - Security updates applied automatically
  • - No monitoring setup required on your side

No bus factor

Unlike running apps on an in-house server, operations don't depend on any single person's expertise.

  • - No server setup or configuration required
  • - Infrastructure incident recovery handled by the Keelson operations team
  • - Manage apps from a browser dashboard — simple enough for anyone

Infrastructure

  • - Managed container orchestration on a major cloud provider
  • - Workload isolation between user apps and system components
  • - Fully managed database with private network connectivity and automatic failover

Technical details

Authentication
  • -JWT-based authentication (asymmetric key signing and verification)
  • -Google / Microsoft OAuth 2.0 support
  • -Internal proxy session: short-TTL signed tokens
  • -Auth headers and cookies are stripped by the proxy before forwarding to the app
Container Isolation

User apps run in isolated execution environments.

  • -Runs as a non-root user with privilege escalation disabled
  • -No unnecessary permissions granted; strict security constraints applied
  • -No platform API credentials are passed to app containers
Network
  • -Ingress: Apps reachable only via authenticated proxy (enforced by network policy)
  • -Egress: Allow all, or hostname-based allowlist (wildcard patterns supported)
  • -Inter-app network communication is blocked
Encryption
  • -At rest: Cloud-standard encryption — disks, databases, object storage
  • -In transit: TLS encryption (external traffic) / encrypted database connections
  • -Secrets: Symmetric-key encryption before database storage
Infrastructure
  • -Managed container orchestration
  • -Edge network: DDoS mitigation + WAF + TLS termination
  • -Fully managed database: point-in-time recovery, private networking, auto failover
  • -Workload isolation: user app nodes / system nodes
  • -Node auto-repair + auto-upgrade
  • -Private network topology (outbound via NAT gateway)
Logs & Monitoring
  • -Metrics-based resource monitoring
  • -Automatic masking of auth headers, cookies, and session tokens
  • -Automatic alerts to the operations team on anomaly detection
Compliance
  • -Keelson's cloud infrastructure providers hold SOC 2, ISO 27001, and other certifications
  • -Data stored in Japan. Additional regions planned.

Deploy your first authenticated app today

Authentication, encryption, backups, and monitoring are included in every plan.

Start for free →
View pricing | How Keelson works