Case study · synthetic but defensible

Three weeks to drop in KGE, close two stalled enterprise PoCs.

A mid-stage HealthTech SaaS (~80 people, $14M ARR) had two enterprise customers parking PoCs behind security review. They had a trust-boundary narrative, not a runtime-verifiable artifact. After dropping in the open-source SDK and sending a 22-page Procurement Packet, the customer's auditor signed off in a 30-minute call. Net spend: ~$18K/year saved + ~36 engineering-hours/month recovered.

Synthetic but defensible. The vendor profile, customer profile, timeline, and numbers below are illustrative. They describe the shape of how a real KGE rollout lands, not a closed customer. Industry benchmarks cited where used. We'll replace this with a named-customer version as soon as one ships; if you want to be that customer, open a contact thread.

The vendor

Profile: Mid-stage HealthTech SaaS company, ~80 people, $14M ARR. Product is a clinical-ops platform that ingests EHR data (FHIR R4) and routes care-coordination tasks to the right clinician.

Trigger: Two new enterprise customers (large regional health systems) put security review on the critical path before PoC. Both customers' procurement teams asked for:

The vendor had a pre-SOC 2 trust-boundary story, but it was a narrative, not a runtime-verifiable artifact. The first PoC stalled at 6 weeks. The second was tracking the same path.

The constraint

The vendor's engineering team had one infrastructure engineer with 30% bandwidth to allocate to this work. Buying a Vanta-style trust portal was out of budget (~$25K/year minimum) and would not have produced the artifact the customer's auditor actually wanted, which tool read what patient record, when, under what consent.

Hiring a compliance consultant would have cost ~$60K and produced documents rather than runtime evidence.

The vendor needed an option that:

  1. Shipped runtime audit primitives, not paperwork
  2. Was open-source so the customer's security team could verify implementation
  3. Got the trust-boundary claim into a procurement packet they could send within 3 weeks

The approach

Week 1
SDK integration. The engineer dropped kinetic-gain-embedded (KGE) into the platform's data-access layer. Three lines of code:
const card = parseDecisionCard(JSON.parse(decisionCardJson));
const audit = new AuditStream({ source: "platform-prod", decisionCardRef: card.canonical_url, sink: new NdjsonFileSink("/var/log/audit.ndjson") });
const { payload, redactionApplied } = applyVaultContract(patientRecord, card);
The Decision Card was authored once by the vendor's lead clinician + compliance lead (~4 hours of work, using the Decision Card v0.3 spec). It declared data_vault_targets for the PHI fields the customer's policy required redacted, plus a retention_envelope for each.
Week 2
Procurement packet. The vendor took the docs/sales/PROCUREMENT-PACKET.md template from the KGE repo, filled in the bracketed sections for their company, and made the four §8 KGE-backed verifiable claims:
  1. Hash-chained audit (every PHI access lands in append-only NDJSON; GET /verify walks the chain end-to-end)
  2. Vault-contract tokenization (PHI fields tokenized per the customer-published Decision Card)
  3. ed25519-signable (every audit emission can be signed for non-repudiation)
  4. Customer-defined Decision Card (customer publishes the policy; vendor enforces at runtime)
They explicitly used "readiness for SOC 2 CC9.2 / ISO 27018 / GDPR Art. 28" rather than claiming certifications they didn't have. The packet was 22 pages.
Week 3
Customer-side verification. The customer's security team ran the audit-stream against a synthetic patient record. The hash chain verified. The Decision Card replayed cleanly. The vault contract redacted the expected fields. The audit-stream signature validated against the vendor's published ed25519 public key.

The customer's auditor signed off in a 30-minute call.

The outcome (measured)

Before KGEAfter KGEDelta
Trust-boundary claim was a narrative Trust-boundary claim is a runtime artifact qualitative shift
First PoC stalled at week 6 Both PoCs closed by week 4 ~2 weeks deal-cycle compression / deal
Internal infra-engineer time on audit/diligence: ~12 hrs/week ~3 hrs/week ~36 hours/month recovered
Compliance-consultant retainer: ~$5K/month $0 (not needed for this scope) ~$60K/year
Total spend on KGE Team tier $3,500/month = $42K/year Net: ~$18K/year saved + ~36 eng-hrs/mo recovered
"The first time security stopped being the bottleneck." Vendor's CRO, in the post-PoC retro
"I was honestly worried about adding another dependency. But it's 28KB and zero runtime deps. The pre-flight tests catch what I'd have caught. And I don't have to write the test scaffolding myself." The infrastructure engineer who did the integration

What this case study explicitly is and isn't

So you don't have to read between the lines:

✓ It is

  • An honest depiction of the shape of a KGE rollout for a HealthTech SaaS vendor in the typical $10–30M ARR band with one mid-sized engineering team
  • Numbers calibrated against named industry benchmarks where used
  • A template you can adapt to your own context (your numbers will differ)

✗ It isn't

  • A claim that we have closed this customer (we haven't. KGE is pre-commercial)
  • A guarantee that your numbers match these (they almost certainly won't, exactly)
  • A statement that KGE replaces SOC 2 (it doesn't. It gives you the artifact, you still need the audit)
  • A claim of HIPAA / HITRUST / SOC 2 compliance (KGE provides primitives; your implementation determines compliance posture, and your auditor signs off)

When we have a named-customer version of this story with their permission and measured numbers from their actual rollout, we'll publish it here. If you want to be that customer, the path is short:

Adjacent reading

Published 2026-05-31. Author: Miz Causevic. License: CC BY 4.0. Feel free to share, with attribution.

Reference scaffolding for audit evidence, not a HIPAA / FERPA / SOC 2 / GDPR / ISO 27001 / NIST AI RMF / EU AI Act / ISO 42001 compliant or certified product. Compliance posture depends on the embedder's full control environment and external attestation specific to each regulatory regime.