The KGE SDK is Apache-2.0 — drop it in, ship audit-stream + vault contracts, never pay us anything. Hosted tiers add the parts a busy B2B SaaS company would rather not run themselves: Decision Card review, vault contract hosting, quarterly Pulse positioning, integration support.
All tiers use the same Apache-2.0 SDK. The difference is what's hosted for you and how much of the buyer-facing diligence response we run alongside.
$1,500/mo · annual
For B2B SaaS doing first SOC 2 readiness, embedding KGE to back the trust-boundary claim.
$3,500/mo · annual
For B2B SaaS with active enterprise customers — vault contract hosting + Decision Card review for two product lines.
$7,500/mo · annual
For B2B SaaS embedding into regulated verticals (HealthTech, FinTech, GovTech) where deals stall on security review.
The right tier is not about company vanity. It is about the buyer moment you need to survive without making engineering, security, and revenue teams rebuild the same packet every quarter.
Pick Solo when one product line needs a credible audit-stream and Decision Card story, but you are not yet running multiple enterprise diligence tracks at once.
Pick Team when the same buyer questions keep pulling engineers into review calls and you need reusable answer logic, hosted proof, and quarterly positioning.
Pick Scale when HealthTech, FinTech, GovTech, or enterprise security teams expect a fuller proof room, RFP packet support, and live integration guidance.
Hosted tiers are priced around the proof objects buyers can review. The goal is to make the trust claim inspectable before it turns into another custom security-review project.
These numbers come from public industry benchmarks for B2B SaaS in regulated verticals. Your actual numbers will differ. The framing is for executive sponsors who need to defend a $1.5K–$7.5K monthly line item against the alternative — which is usually another consultant retainer plus three internal hours per security questionnaire.
Synthetic but defensible. Public benchmarks: Vanta industry report (questionnaire response time), Bessemer Cloud 100 (deal cycle data), AICPA SOC 2 cost surveys. We'll show you the citations in a discovery call.
Every tier ships against the same Apache-2.0 SDK. The differences above are about what's hosted and how much of the response work we share, not about the underlying technology.
TypeScript dual ESM/CJS · zero runtime dependencies · Node 20+ · hash-chained audit · Decision Card vault contract enforcement · ed25519 signing.
Fill-in template for the security review packet enterprise buyers expect. §8 makes 4 KGE-backed verifiable claims. Aligned with SOC 2 CC9.2 + ISO/IEC 27018 + GDPR Art. 28 vocab — without claiming what you haven't earned.
KGE hosted tiers should be evaluated against the work they remove or standardize, not against the free SDK. If one of these costs is already showing up in your operating rhythm, the hosted tier has a clearer buyer case.
Recurring retainer work that mostly repackages evidence your product should already be producing.
Repeated engineering interruptions to answer the same audit-stream, AI, data, and access-control questions.
Static trust pages that claim readiness without giving buyers a verifiable Decision Card or vault-contract trail.
Vague security-progress updates that do not tie spend to buyer friction, deal review, and evidence reuse.
KGE is pre-commercial. The open-source SDK is production-stable (v1.0-prod). The hosted tiers are not yet purchasable — we're collecting waitlist + first-customer interest signal before opening commercial flow. When you join the waitlist, here's what you're committing to and what we are:
If you need this productized for a specific deal in flight, say so on the contact form — that's the signal that triggers an out-of-band response.