Keel
Runs on Amazon Aurora PostgreSQL

Ctrl+Z for production data

Engineers hand-write UPDATE and DELETE against production with no preview, no undo, and no audit. Keel makes every change safe, reviewable, and reversible.

Launch the consoleSee how it works
change #128Pending review
Chain verified
-- proposed
UPDATE customers SET plan = 'premium'
WHERE id IN (42, 57, 91);
Affects 3 rowsupdate · reversible
id 42plan
beforeenterprise
afterpremium

The change lifecycle

Every change runs the same governed path

From a plain-English request to a reversible, audited write — no step can be skipped, and nothing touches your data until it has passed the gate and a human reviewer.

  1. 01

    Propose

    Describe the change in plain English; Keel drafts the SQL.

  2. 02

    Policy gate

    Deterministic checks block dangerous SQL before it runs.

  3. 03

    Preview

    See the exact before/after rows and blast radius.

  4. 04

    Approve

    A second engineer signs off — never the author.

  5. 05

    Apply

    Executed once, with optimistic-concurrency conflict detection.

  6. 06

    Audit

    Every action is appended to a tamper-evident hash chain.

  7. 07

    Undo

    One click restores the prior state — a true Ctrl+Z.

Why it's safe

Guardrails that hold under real traffic

Keel's guarantees are enforced at the database chokepoint — not in the UI — so they hold even when changes are applied by hand.

Deterministic policy gate

Multi-statement scripts, missing-WHERE updates, protected tables, and over-ceiling blast radius are rejected before they ever touch your data — not flagged after the fact.

Optimistic-concurrency conflict detection

Keel pins each row's version at preview. If your live application traffic changed that row before apply, the change is refused instead of silently overwriting it.

Hash-chained, tamper-evident audit

Every apply and undo commits the SQL and a before-image digest into a linked hash chain. Altering any past entry breaks verification and is caught instantly.

Governed maker-checker approval

Approval is enforced server-side from a signed session — the author of a change can never be its approver, so no single person can push data unreviewed.

The data-plane peer to AWS Systems Manager Change Manager. Change Manager governs infrastructure changes; Keel governs the data inside your database.

See a change go from prompt to provable undo

Open the console, draft a change in plain English, watch the gate and preview, then approve, apply, and undo it — all against a live Aurora PostgreSQL database.

Launch the console