All legal agreements governing Kestra Labs services (MCP Fortress and PAT Fortress). Zero Trust tier customers can request executed copies via legal@kestralabs.com.
Kestra Labs LLC ("Service Provider") provides two managed gateway services: MCP Fortress and PAT Fortress. MCP Fortress is an MCP protocol gateway that enables organizations ("Customer") to govern, audit, and control how AI assistants access Customer's SaaS applications. PAT Fortress is a Claude API proxy that controls how developers and applications access the Claude API. Both services share a policy engine, credential vault, audit trail, and administrative dashboard.
You must register using a valid work email and provide accurate company information. Each organization receives one workspace. You are responsible for maintaining the confidentiality of your API keys and admin credentials. Notify us immediately of unauthorized access.
The Service is designed for legitimate business use of AI-SaaS integration governance. You may not: use the Service to circumvent SaaS vendor terms of service, attempt to reverse-engineer the gateway infrastructure, exceed rate limits through automated abuse, or use the Service for any unlawful purpose. We reserve the right to suspend accounts that violate these terms with 24 hours written notice except in cases of imminent security risk.
Kestra Labs processes Customer Data only as a data processor acting on your instructions. "Customer Data" means: for MCP Fortress, SaaS API credentials stored in the vault and API response content that transits the gateway; for PAT Fortress, Claude API keys (Personal Access Tokens) stored in the vault, plus the full request and response content that transits the proxy. MCP Fortress does not retain SaaS API response content: it passes through in real-time. PAT Fortress archives full request and response content to encrypted encrypted object storage storage for SOC 2 audit compliance. Audit logs record metadata (timestamp, user, action, resource, decision) but never credential values. Credential storage and encryption are governed by your selected tier (SOHO/Bank/Zero Trust).
You retain all rights to your Customer Data. We retain all rights to the Service, including the gateway infrastructure, policy engine, connector definitions, and administrative interface. You are granted a non-exclusive, non-transferable license to use the Service during your subscription term.
Pricing is based on your selected tier and user pack. Billing is monthly in arrears. Active users exceeding the contracted pack size are billed at 1.25× the base rate. Invoices are due within 30 days. We do not block users who exceed pack size, production continuity is guaranteed. Disputed charges must be raised within 60 days of the invoice date.
Either party may terminate with 30 days written notice. Upon termination, your access to the dashboard is revoked, all credentials in the vault are permanently deleted within 72 hours, and audit logs are retained for the period specified by your tier (90 days, 1 year, or 7 years) then permanently deleted. You may export audit data before termination.
To the maximum extent permitted by law, Kestra Labs's total liability for any claims arising from the Service is limited to the fees paid by Customer in the 12 months preceding the claim. We are not liable for: SaaS provider outages or API changes, loss of data due to Customer-initiated kill switch or credential revocation, or consequential, incidental, or punitive damages.
Customer agrees to indemnify Kestra Labs against claims arising from: Customer's violation of SaaS vendor terms, Customer Data content, or Customer's misconfiguration of policies resulting in unauthorized access. Kestra Labs agrees to indemnify Customer against claims arising from our breach of the DPA or unauthorized access to the vault infrastructure.
These terms are governed by the laws of the State of Arizona, United States. Any disputes shall be resolved through binding arbitration in Maricopa County, Arizona.
Account Information: Work email, name, company name, and billing details provided during registration. Usage Data: Dashboard interactions, API request metadata (timestamp, action, connector, decision, latency), and aggregate usage statistics. Customer Credentials: SaaS API keys/tokens stored in the vault, encrypted at rest per your selected tier.
We do not store API response content: SaaS API responses transit the gateway in real-time and are relayed to the AI assistant without persistence. We do not track individual end-user behavior within SaaS applications. We do not collect personal data from your SaaS accounts beyond what transits the gateway. PII redacted by the redaction engine is masked before it reaches the AI assistant and is never stored in its unmasked form.
Account information is used to provide the Service and communicate about your account. Usage metadata populates your admin dashboard (Status Board, Traffic Feed, Billing). Aggregated, anonymized usage statistics may be used to improve the Service. We do not sell, rent, or share your information with third parties for marketing purposes.
Account information: retained while your account is active, deleted within 90 days of account termination. Audit logs: retained per your tier (SOHO: 90 days, Team: 1 year, Enterprise: 7 years), then permanently deleted. Vault credentials: deleted within 72 hours of connector removal or account termination. Usage metrics: retained in aggregated form for 2 years.
Under GDPR and applicable data protection laws, you have the right to: access your personal data, correct inaccurate data, delete your account and associated data, export your audit logs, restrict processing, and object to processing. Contact privacy@kestralabs.com to exercise these rights. We respond within 30 days.
The Service infrastructure is hosted in enterprise cloud regions. Data may be processed in the United States and European Union. For EU customers, we maintain Standard Contractual Clauses (SCCs) as part of our DPA. Enterprise tier customers may select a single-region deployment to maintain data residency requirements.
We implement encryption at rest (AES-256) and in transit (TLS 1.3), per-request memory-only credential decryption, role-based access controls on internal systems, and immutable append-only audit logs. See our Security page for the full compliance framework mapping.
The admin dashboard uses essential session cookies only. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No consent banner is required because we use only strictly necessary cookies.
This Data Processing Agreement ("DPA") is entered into between the Customer ("Data Controller") and Kestra Labs LLC ("Data Processor") and supplements the Terms of Service.
Kestra Labs processes Customer Data solely for the purpose of providing the gateway service: evaluating access policies, resolving credentials, proxying API requests, applying PII redaction, and generating audit logs. Processing occurs only on Customer's documented instructions.
Credential Data: SaaS API tokens and keys stored in the vault. Transit Data: SaaS API responses passing through the gateway in real-time (not stored). Metadata: Request logs including timestamp, user identity, action, connector, policy decision, and latency. Admin Data: Dashboard configuration changes recorded in the Change Log.
Kestra Labs implements: AES-256 encryption at rest for all stored data, TLS 1.3 encryption in transit, per-request memory-only credential decryption with sub-second lifespan, three-tier credential isolation (managed, customer-key, zero-trust mTLS), immutable append-only audit logs, RBAC on internal systems with quarterly access reviews, SOC 2 Type II aligned controls, and ISO 27001 aligned information security management system. Full mapping available on our Security page.
Current sub-processors are listed on our Sub-Processors page. We provide 30 days advance notice before engaging new sub-processors. Customer may object to a new sub-processor within 14 days. If the objection cannot be resolved, Customer may terminate the affected services without penalty.
Kestra Labs will assist Customer in responding to data subject requests (access, rectification, erasure, portability) within 10 business days of notification. Costs for extraordinary requests are borne by Customer.
Kestra Labs will notify Customer of any confirmed personal data breach without undue delay and within 72 hours of confirmation. Notification will include: nature of the breach, categories and approximate number of affected records, likely consequences, and measures taken to address the breach.
Customer may audit Kestra Labs's compliance with this DPA once per calendar year with 30 days written notice. Audit scope covers security controls relevant to Customer Data. Alternatively, Customer may review our SOC 2 Type II report and ISO 27001 certification in lieu of an on-site audit.
Upon termination of the Service, Kestra Labs will permanently delete all Customer Data within the timeframes specified in the Privacy Policy. Customer may request a data export before termination. Deletion is certified in writing upon request.
For processing subject to GDPR: Kestra Labs acts as processor under Article 28. Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference. Kestra Labs will process data only within the EEA and approved jurisdictions unless Customer explicitly authorizes otherwise.
Availability: The BAA is available on the Zero Trust tier only. Contact our sales team to execute.
This Business Associate Agreement ("BAA") is required when Customer is a Covered Entity or Business Associate under HIPAA and uses the Service to process Protected Health Information ("PHI"). Kestra Labs agrees to be designated as a Business Associate.
Kestra Labs may use or disclose PHI solely for: performing its obligations under the Service Agreement, and as required by law. Kestra Labs will not use or disclose PHI for marketing, sell PHI, or use PHI for any purpose not expressly permitted.
Kestra Labs implements administrative, physical, and technical safeguards appropriate to protect PHI including: Zero Trust tier mTLS (PHI credentials never stored in our infrastructure), PII redaction engine configured to detect and mask PHI fields (patient names, MRNs, dates of birth), AES-256 encryption at rest with customer-managed keys, TLS 1.3 encryption in transit, and access controls limiting Kestra Labs personnel access to PHI to those with a demonstrated need.
Kestra Labs will report any Breach of Unsecured PHI to Customer without unreasonable delay and no later than 30 calendar days after discovery. Report will include: identification of each individual affected (if known), description of the breach, types of PHI involved, and remediation steps taken.
Kestra Labs will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Kestra Labs agrees to substantially similar restrictions as contained in this BAA.
Kestra Labs will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Customer's compliance with HIPAA. Kestra Labs will provide access to PHI within 10 business days of a written request.
Upon termination, Kestra Labs will return or destroy all PHI received from Customer or created on Customer's behalf. If return or destruction is not feasible, Kestra Labs will extend the protections of this BAA to the remaining PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
Downtime is defined as either gateway (gateway.kestralabs.com or pat.kestralabs.com) returning 5xx errors or failing to respond to valid requests for more than 5 consecutive minutes. The following are excluded from downtime calculations: scheduled maintenance (announced 72 hours in advance), SaaS provider outages (Zendesk, Salesforce, etc. being down is not Kestra Labs downtime), Claude API outages (api.anthropic.com being down is not Kestra Labs downtime), force majeure events, and Customer-initiated actions (kill switch activations, credential revocations).
If monthly uptime falls below the committed target, service credits are applied to the next invoice. Credits are calculated as: (committed uptime% - actual uptime%) × 10 × monthly fee, capped at the maximum credit percentage for your tier. Example: Bank tier at 99.7% uptime = (99.9% - 99.7%) × 10 × monthly fee = 2% credit.
Submit credit requests to sla@kestralabs.com within 30 days of the affected month. Include your org ID and the dates/times of experienced downtime. We will validate against our monitoring data and apply credits within one billing cycle.
Kestra Labs operates a public status page at status.kestralabs.com showing real-time gateway health, planned maintenance windows, and historical uptime. Customers receive email notifications for SEV 1 and SEV 2 incidents. Zero Trust tier includes a dedicated Slack channel for incident communication.
Kestra Labs uses a minimal set of sub-processors to deliver the Service. We provide 30 days advance email notice before engaging any new sub-processor. Zero Trust customers may object within 14 days.