GitLab

The provider claims the product to be open source but then mentions some source not even being available without singing an NDA first, which is in clear contradiction to claims about being Open Source.

If the stack is designed in a way that contains non-public code to parts that cannot put the private keys at risk, the product might still be reproducible like the BitBox02 where the closed source is only on the SE and never even sees the masterseed but given the Keystone is running a full Android OS, it's probably more complicated.