Operations debt is quiet. It does not throw an error in your CI pipeline or crash a server. It accumulates in the background: the process that lives in one engineer's head and breaks when they leave, the vendor contract that auto-renewed at a rate you negotiated three years ago before you had leverage, the OKRs that were set in January and have not been mentioned since, the compliance posture that is invisible until a Fortune 500 prospect sends a security questionnaire and the sales cycle stops cold. By the time operational debt becomes visible, it is already expensive. The process documentation project is now urgent because the new hire starts next week and there is nothing to hand them. The compliance audit is now urgent because the enterprise customer requires SOC2 Type 2 before they will sign. The vendor contracts are now urgent because three of them expire next quarter. Urgent operational work is the most expensive kind, done under pressure, without time for the quality that prevents the next crisis. Keel exists to keep that debt from accumulating in the first place, and to retire it systematically when it already has.
Why startups defer operations work until it breaks something
The pattern is consistent across early-stage companies. The first ten engineers move fast because the team is small enough that everyone knows everything. There is no need for documented processes because the process is: ask the person who built it. There is no need for vendor management because there are three vendors and the founder knows all the account executives personally. There is no need for a compliance program because the customers are other startups who are not asking for SOC2. This is not dysfunction, it is rational prioritization. The cost of operational infrastructure at ten people is higher than the benefit.
The problem is that the threshold where operations work becomes essential is not visible until the team has already crossed it. At 40 people, tribal knowledge breaks down. Processes that worked via informal communication produce inconsistent outcomes because there are now enough people that not everyone has the same mental model. Vendor contracts have multiplied to dozens, each with its own renewal date, and the ones that auto-renew are quietly doing so at rates that made sense two years ago. The OKR spreadsheet that was good enough at 20 people is now a source of confusion because nobody agrees on what the current targets are or how scoring works. And the first enterprise prospect has arrived, asking for a SOC2 Type 2 report. None of this is catastrophic on its own. The combination, at a moment when the team is also trying to ship product, is genuinely hard.
Human solutions to this problem are expensive and slow. Hiring an operations lead costs $150k to $200k per year, and that person needs 30 to 90 days to audit the current state before they can start fixing it. Bringing in a compliance consultant for SOC2 readiness costs $40k to $80k and takes six to nine months. A process documentation firm charges $20k to $50k per engagement. These are the right investments at scale, but at 40 people the math is hard to justify before the pain is acute. Keel changes the math.
What an operations engineer actually does
On a mature team, the operations engineer is the person who builds the systems that make everything else run reliably. They document the processes that currently live in people's heads, turning tacit knowledge into explicit SOPs that survive turnover and scale. They design the RACI matrices that make decision ownership unambiguous, so the right people are consulted and the wrong ones are not slowing things down. They manage the vendor landscape: tracking contract terms, renewal dates, and SLA commitments; running renewal negotiations with historical usage data rather than gut instinct; maintaining vendor risk assessments so the company knows what its exposure is if a critical vendor has an outage or breach.
The operations engineer also owns the compliance program. Not as a compliance officer, but as the person who builds the systems: designing the control framework, running gap analyses against SOC2, GDPR, and HIPAA requirements, defining the evidence collection process, and maintaining the audit trail that proves the controls are operating. They design the OKR system, not just filling in the spreadsheet but designing the cascade architecture, the review cadence, and the scoring methodology so the OKR program actually drives behavior rather than becoming a quarterly ritual with no operational consequence. And they run the operational efficiency audit: systematically finding the meetings nobody needs, the tools that duplicate each other, the processes with unnecessary steps, the vendors that can be consolidated. The output is not a slide deck. It is a prioritized backlog of operational improvements with measurable impact.
Meet Keel
Keel is Tonone's AI operations engineer, the specialist agent for process documentation, compliance programs, vendor management, OKR design, and operational efficiency audits. Keel's working principle is that operational infrastructure is not overhead, it is leverage. Every hour spent documenting a process correctly is ten hours saved in onboarding, handoffs, and error correction over the next year. Every compliance control implemented before an enterprise deal is a deal not lost. Every OKR program that actually works is a team that is pulling in the same direction. Keel works systematically and concretely: not strategy decks, but the actual documents, programs, and frameworks that make operations run.
Tonone's Keel is the AI operations engineer that audits your business processes and compliance posture, documents SOPs and RACI matrices, builds SOC2 and GDPR compliance programs, manages vendor contracts, designs OKR systems, and runs operational efficiency audits across the entire business.
What Keel actually does
Operational reconnaissance across the full business
The keel-recon skill is Keel's broadest capability and the right starting point for any operations engagement. Keel audits the business across five dimensions: process health (which processes are documented, which live in tribal knowledge, where the handoffs are unclear or consistently break down), vendor landscape (all active vendors, contract status, renewal dates, spend, and concentration risk), compliance posture (what frameworks apply, what controls are in place, where the gaps are relative to SOC2, GDPR, or HIPAA requirements), OKR execution health (whether objectives are set, whether they cascade correctly, whether the review cadence is running and producing decisions), and operational friction (where the team is losing time to unclear processes, redundant tools, unnecessary meetings, or manual work that should be automated). The output is a prioritized operational health report that identifies the highest-leverage improvements with estimated impact and effort. For a new operations engagement, keel-recon is the starting point. For a quarterly ops review, it is the objective current-state assessment that replaces intuition with data.
Process documentation and redesign
The keel-process skill documents or redesigns business processes with the rigor of a professional operations engineer. For documentation engagements, Keel produces Standard Operating Procedures that cover purpose, scope, prerequisites, step-by-step instructions, decision points, exception handling, and success criteria, not a bullet-point summary but a document that a new hire can execute without asking anyone. For process redesign, Keel maps the current-state process, identifies the steps that add delay without adding value, redesigns the flow for efficiency and clarity, and produces the new SOP alongside the rationale for each change. RACI matrices (Responsible, Accountable, Consulted, Informed) are produced for any process that involves cross-functional coordination, making decision ownership explicit and eliminating the ambiguity that causes processes to stall at handoffs. Handoff specifications define exactly what information transfers between process steps, what format it takes, what the receiving party needs to do with it, and what happens if it is missing or incorrect. For engineering teams that are scaling past the point where informal coordination works, keel-process provides the operational infrastructure that makes growth manageable.
Vendor relationship management
The keel-vendor skill manages the full lifecycle of vendor relationships, from selection through contract negotiation, ongoing management, and renewal. For vendor selection, Keel produces a vendor scorecard that defines the evaluation criteria relevant to the specific category (security certifications for a data processor, uptime SLA for infrastructure, integration depth for a SaaS tool), weights them by importance, and scores each candidate against them to produce a defensible selection recommendation. For contract review, Keel produces a contract review checklist that identifies the clauses that need attention: data processing terms, liability caps, indemnification scope, SLA commitments and remedies, termination rights, and auto-renewal provisions that need calendar reminders. For vendor risk assessment, Keel evaluates concentration risk (what happens if this vendor has an outage), security posture (does the vendor process sensitive data, are they SOC2 certified, what is their incident notification obligation), and commercial risk (financial stability, pricing change provisions, lock-in mechanisms). For renewal tracking, Keel maintains a vendor register with renewal dates, current spend, usage data, and the negotiation leverage available at renewal time. For a 40-person company with 30 active SaaS vendors, keel-vendor is the difference between a managed vendor portfolio and a set of contracts that auto-renew on their own schedule at someone else's preferred terms.
Legal operations: NDAs, MSAs, and SaaS agreements
The keel-legal skill operates at the intersection of legal and operations: the documents and processes that a company needs to function legally, managed systematically rather than ad hoc. Keel drafts NDA templates (mutual and one-way) with standard terms appropriate for the context, covering definition of confidential information, obligations of the receiving party, permitted disclosures, return or destruction of information, and term and survival provisions. Keel produces MSA review checklists that surface the clauses requiring negotiation or legal review before signing: limitation of liability provisions, indemnification scope, intellectual property ownership (particularly work-for-hire provisions), data processing obligations, and governing law. Keel performs SaaS agreement terms analysis that identifies the commercial terms that are favorable, the terms that are standard and acceptable, and the terms that require redlining or escalation before the company should sign. This is legal ops work, not legal advice. The output is operational infrastructure that lets the company move faster through contracting without taking on terms that will cause problems later. For early-stage companies that are signing SaaS agreements and vendor contracts at volume, keel-legal reduces the time-to-signed while ensuring the right terms get flagged for actual legal review.
Compliance programs: SOC2, GDPR, and HIPAA
The keel-comply skill is Keel's most consequential capability for companies pursuing enterprise sales. It builds and audits compliance programs across the three frameworks that enterprise customers most commonly require: SOC2 (Trust Services Criteria covering security, availability, processing integrity, confidentiality, and privacy), GDPR (EU data protection requirements for companies that process personal data of EU residents), and HIPAA (US health information privacy and security requirements for companies that handle protected health information). For each framework, Keel performs a gap analysis that compares the current state of controls against the framework requirements, producing a finding-per-control report that identifies what is in place, what is partially implemented, and what is missing entirely. Keel then produces a control implementation roadmap that sequences the remediation work by priority: the controls that are required for any SOC2 Type 2 audit, the controls that are foundational for GDPR data subject rights, the HIPAA technical safeguards that must be in place before handling PHI. Finally, Keel designs the evidence collection process that proves the controls are operating: the log formats, the review cadences, the policy documents, and the access review procedures that an auditor will sample to confirm the controls work. For a startup that just received a security questionnaire from an enterprise prospect and has no compliance program, keel-comply is the fastest path from zero to audit-ready.
SOC2 Type 2 is the compliance requirement that most often kills enterprise sales cycles for startups. The audit covers a 6-to-12 month observation period, which means you cannot start preparing after the customer asks for it. The companies that close enterprise deals without a 12-month delay started their SOC2 program at least 6 months before their first enterprise prospect. keel-comply gives you the gap analysis and implementation roadmap to start that clock.
OKR program design and execution
The keel-okr skill designs and runs OKR programs that actually work. Most OKR programs fail in one of three ways: objectives are too broad to be actionable, key results are not measurable (or are outputs rather than outcomes), or the review cadence runs for two quarters and quietly stops. Keel addresses all three. For objective and key result design, Keel drafts objectives that are specific enough to guide decisions and key results that are numeric, measurable, and attributable to the work of the team. For cascade architecture, Keel designs the relationship between company-level OKRs, team-level OKRs, and individual-level OKRs so that the connection between daily work and company strategy is legible, not assumed. For review cadence, Keel designs the weekly check-in format, the monthly score review, and the quarterly retrospective with the specific questions, decision rights, and escalation paths for each meeting. For scoring methodology, Keel defines what a 0.7 means relative to a 1.0, why a 0.6 to 0.7 is a healthy OKR score rather than a failure, and how scoring should feed into the next quarter's planning. For teams that have tried OKRs and found them adding overhead without clarity, keel-okr is the redesign that fixes the structural issues rather than adding another OKR training session.
Meeting cadence design
The keel-cadence skill designs the meeting architecture for a team or organization: which meetings to run, at what frequency, with which attendees, what decisions each meeting owns, and how information flows between them. Most meeting problems are structural, not behavioral. The weekly all-hands that has become a status report instead of a decision forum is a structural failure: the wrong attendees, the wrong agenda format, and no clear decision rights. The daily standup that runs 45 minutes is a structural failure: no agenda discipline, no separation between status and problem-solving. Keel audits the current meeting landscape, identifies the meetings that are redundant (two meetings covering the same information flow), the meetings that are missing (no forum for cross-functional decisions, no escalation path for stuck items), and the meetings that are correctly scoped but incorrectly run. The redesign produces a meeting architecture document that specifies each meeting in the system: purpose, frequency, attendees, agenda format, decision rights, and information flow outputs. For a 40-person team where half the calendar is meetings and the other half is recovery from meetings, keel-cadence is the operational redesign that gives time back to the work.
Operational efficiency audit
The keel-audit skill performs a systematic operational efficiency audit: scanning for waste, redundancy, and friction across processes, tools, vendors, and workflows. Keel looks at four categories of operational waste. Process waste: steps in a process that add delay without adding value, approval loops that could be delegated, manual steps that could be automated, and decision points that are consistently re-litigated because the criteria are not defined. Tool waste: SaaS subscriptions for tools that duplicate functionality, tools that are paid for but not used, tools whose functionality is also covered by a platform the team already has. Vendor waste: vendors whose contract terms are worse than market rate, vendors with auto-renewal provisions that have already renewed without review, and vendor overlap where two vendors are providing similar capabilities. Workflow waste: handoffs that require manual reformatting of information, communication patterns that create coordination overhead without improving quality, and reporting processes that produce outputs nobody reads. The output is a prioritized list of improvements with estimated annual savings or time recovered, the operational backlog that a COO or operations lead would build in their first 90 days. For a team without an operations lead, keel-audit provides the assessment that makes that prioritization possible.
A worked example: the Fortune 500 wake-up call
This scenario is common enough to be a pattern. A 40-person SaaS startup closes an early POC with a Fortune 500 company. The champion loves the product. Legal and procurement get involved. The procurement team sends a vendor questionnaire that includes: 'Please provide your SOC2 Type 2 report or indicate your expected certification date.' The sales team checks with the CEO. There is no SOC2 report. There has never been a compliance program. There are no documented processes. Vendor contracts are scattered across email threads. The OKRs set at the last all-hands are in a Google Doc that nobody has opened since February. The sales cycle is now at risk. Here is how Keel handles all of it.
The first step is understanding the full scope of what needs to be done. The team runs keel-recon and gets back a structured operational health report. The compliance section shows: no SOC2 controls documented, no privacy policy covering GDPR data subject rights, four vendors processing customer data without DPAs (Data Processing Agreements) in place, no security incident response policy, no access review process. The vendor section shows: 32 active SaaS vendors, 8 with renewals in the next 90 days, 3 with auto-renewal provisions the team was not tracking, and 2 vendors who are processing customer data without signed agreements at all. The OKR section shows: Q1 OKRs set but no review cadence established, Q2 OKRs not yet defined, no cascade from company to team level. The process section shows: onboarding process exists in one engineer's Notion draft, customer escalation process is undocumented, sales handoff to customer success is handled ad hoc. The operational friction section shows: six recurring meetings with unclear purpose, three tools with overlapping functionality, and an estimated 12 hours per week of manual reporting that could be automated.
Now the team has a complete picture and can triage by urgency. The enterprise deal requires SOC2 progress, so keel-comply runs first. Keel performs a SOC2 gap analysis against all five Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) and produces a finding-per-control report. The Security TSC has 33 controls. Keel's gap analysis shows 12 fully in place, 9 partially implemented, and 12 missing entirely. The missing controls include: a formal security policy, a vendor management process, background check procedures, a security awareness training program, encryption key management documentation, a change management process for production deployments, and a formal vulnerability management program. Keel produces a control implementation roadmap that sequences these by priority: the controls required to start the SOC2 observation period (written policies, access management, incident response) versus the controls that can be implemented during the observation period (training completion records, periodic access reviews, vulnerability scan evidence). The roadmap also identifies the evidence that needs to be collected from day one of the observation period: access review logs, change management tickets, vulnerability scan results, security training completion records.
In parallel, keel-vendor addresses the vendor risk issues that the SOC2 gap analysis flagged. For the four vendors processing customer data without DPAs, Keel produces DPA templates appropriate for each vendor category (cloud infrastructure, analytics, customer support) that satisfy GDPR Article 28 requirements. For the 8 renewals in the next 90 days, Keel produces a renewal tracker with contract terms, current spend, usage data from the past 12 months, market rate benchmarks, and a negotiation brief for each vendor. For the three auto-renewal vendors that the team was not tracking, Keel produces contract review checklists and flags the clauses requiring redlining before the next renewal date.
For the OKR problem, keel-okr designs a Q2 OKR architecture from scratch. The company has three strategic priorities: close the enterprise deal, hit the product milestone for the next feature, and reduce churn from the current rate. Keel drafts company-level objectives for each priority, with three to four measurable key results per objective, cascaded to team-level OKRs for engineering, sales, and customer success. The cascade architecture makes explicit which team-level KR contributes to which company-level KR. Keel also designs the review cadence: weekly progress check-in (15 minutes, self-reported status per KR), monthly score review (45 minutes, team leads, scoring and adjustment decisions), quarterly retrospective (90 minutes, all-hands, what worked, what did not, input to next quarter's objectives). The scoring methodology is defined: 0.7 is a healthy stretch outcome, 1.0 means the target was not ambitious enough, below 0.4 requires investigation and adjustment.
Finally, keel-process documents the three processes with the highest urgency: the customer escalation process (because the enterprise POC will have escalations and the team needs a defined response), the sales-to-customer-success handoff (because the Fortune 500 deal will be the first enterprise customer and the handoff needs to be clean), and the production deployment process (because SOC2 change management controls require it). Each SOP includes purpose, scope, RACI, step-by-step instructions, decision points with criteria, and the evidence generated at each step that feeds the SOC2 audit trail. Six weeks after the initial keel-recon, the company has a SOC2 observation period underway, DPAs in place with all data processors, a functioning OKR program for Q2, documented processes for the three highest-risk handoffs, and a vendor portfolio that is under active management rather than auto-renewing in the dark. The enterprise deal is back on track.
If you are a startup that just received a SOC2 request from an enterprise prospect, the first thing to do is understand the gap between your current state and what an auditor needs to see. Run keel-comply for a gap analysis that tells you exactly which controls you have, which you are partially there on, and which you need to build from scratch. Then run keel-recon for the full operational picture. The combination gives you a prioritized roadmap instead of a panic spiral.
Keel vs the alternatives
Operations work is one of the domains where the difference between a specialist and a generalist is most visible in the output. A generalist can write a process document. It will not include a RACI, will not define exception handling, and will not be structured as evidence for a SOC2 audit. A generalist can summarize SOC2 requirements. It will not produce a gap analysis against your specific control environment, will not sequence the remediation by audit readiness priority, and will not design the evidence collection process. Keel is the specialist that produces operational infrastructure, not summaries of what operational infrastructure looks like.
| Capability | Tonone | Generalist chatbot | Cursor / Copilot |
|---|---|---|---|
| SOC2, GDPR, HIPAA gap analysis against current control environment | Yes, keel-comply performs a finding-per-control gap analysis, produces a prioritized implementation roadmap, and designs the evidence collection process for audit readiness | Partial, can summarize framework requirements but does not gap-analyze against your specific environment or produce a sequenced remediation roadmap | No, compliance consultants charge $40k to $80k for this work and take 3 to 6 months; no AI generalist produces audit-ready control documentation |
| SOP writing with RACI, exception handling, and audit trail design | Yes, keel-process produces complete SOPs including purpose, scope, RACI, step-by-step instructions, decision points, exception handling, and evidence generated at each step | Partial, can produce a process narrative but without RACI design, exception handling, or structured evidence generation for compliance purposes | No, process consulting firms charge $20k to $50k per engagement; generalist AI produces summaries rather than executable operational documents |
| Vendor contract review and renewal tracking | Yes, keel-vendor produces contract review checklists, vendor risk assessments, renewal trackers with negotiation briefs, and DPA templates for data processors | Partial, can review a single contract when pasted but without systematic vendor portfolio management, renewal tracking, or market rate benchmarking | No, no AI generalist maintains a vendor register or produces negotiation briefs based on usage data and market benchmarks |
| OKR program with cascade architecture and scoring methodology | Yes, keel-okr designs objectives and key results, cascade architecture from company to team to individual, review cadence with decision rights, and a defined scoring methodology | Partial, can draft OKR examples but without cascade architecture, review cadence design, or scoring methodology that prevents the common failure modes | No, OKR consultants provide training workshops rather than operational program design; generalist AI produces OKR examples without the structural design that makes them work |
| Meeting cadence audit and architecture redesign | Yes, keel-cadence audits the current meeting landscape, identifies redundant and missing meetings, and produces a meeting architecture document with purpose, decision rights, and information flow per meeting | No, cannot audit an organization's meeting landscape or produce a structured meeting architecture design | No, no available tool audits meeting structures and redesigns information flow and decision rights across a full meeting system |
| Operational efficiency audit across processes, tools, and vendors | Yes, keel-audit systematically scans for process waste, tool redundancy, vendor overlap, and workflow friction, producing a prioritized improvement backlog with estimated impact | No, can discuss operational efficiency principles but cannot audit a specific organization's processes, tools, and vendor landscape and produce a concrete improvement backlog | No, operations consulting firms charge $50k to $150k for this work; no AI generalist performs systematic waste identification across an organization's full operational landscape |
Install and try
Tonone is free and MIT-licensed. Install it once and all agents, including Keel, are available in your Claude Code session.
1. Add to marketplace
2. Install Keel
Frequently asked questions
- What does Tonone's Keel do?
- Keel is Tonone's AI operations engineer. It audits business processes and operational health with keel-recon, documents and redesigns processes and RACI matrices with keel-process, manages vendor relationships and contracts with keel-vendor, handles legal ops documents with keel-legal, builds SOC2 and GDPR and HIPAA compliance programs with keel-comply, designs OKR programs with keel-okr, redesigns meeting cadences with keel-cadence, and runs operational efficiency audits with keel-audit.
- How does Keel help startups prepare for SOC2 Type 2?
- keel-comply performs a gap analysis against all five SOC2 Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy), producing a finding-per-control report that shows which controls are in place, partially implemented, or missing. It then produces a prioritized implementation roadmap that sequences controls by audit readiness priority: what must be in place before the observation period starts versus what can be implemented during it. Finally, it designs the evidence collection process so the company is capturing the audit trail from day one of the observation period.
- What is the difference between keel-recon and keel-audit?
- keel-recon is the broad operational health assessment: process documentation status, vendor landscape, compliance posture, OKR execution health, and operational friction, all five dimensions together. It is the starting point for any operations engagement and tells you where the highest-priority work is. keel-audit is a focused operational efficiency audit: systematic waste identification across processes, tools, vendors, and workflows, with a prioritized improvement backlog and estimated impact per item. Run keel-recon to understand the full picture; run keel-audit when you specifically want to find and quantify operational waste.
- Can Keel handle GDPR compliance for a startup processing EU personal data?
- Yes. keel-comply covers GDPR gap analysis including lawful basis documentation, data subject rights procedures, consent management, records of processing activities, data processor agreement requirements, data retention policies, cross-border transfer mechanisms, and breach notification procedures. It produces a gap finding report and a control implementation roadmap. keel-vendor produces DPA templates for vendors processing EU personal data under Article 28. keel-legal reviews SaaS agreements for GDPR-relevant clauses.
- Why do most OKR programs fail, and how does Keel fix it?
- Most OKR programs fail for structural reasons, not motivational ones. Objectives are too broad to guide decisions. Key results are outputs (shipped the feature) rather than outcomes (activation rate increased by X%). The review cadence runs for one or two quarters and then quietly stops because there are no defined decision rights or escalation paths. Scoring is inconsistent because the methodology was never defined. keel-okr addresses all four structural issues: it designs objectives and key results that are specific and measurable, a cascade architecture that makes the connection from daily work to company strategy legible, a review cadence with defined decision rights per meeting format, and a scoring methodology that is consistent and actionable.