{"site":{"name":"Koji","description":"AI-native customer research platform that helps teams conduct, analyze, and synthesize customer interviews at scale.","url":"https://www.koji.so","contentTypes":["blog","documentation"],"lastUpdated":"2026-06-26T12:33:13.019Z"},"content":[{"type":"documentation","id":"711783ba-2d23-4136-bdbb-27fc1506d846","slug":"enterprise-security-ai-research-platforms","title":"Enterprise Security for AI Customer Research Platforms: SOC 2, SSO, and Vendor Review","url":"https://www.koji.so/docs/enterprise-security-ai-research-platforms","summary":"Enterprise buyers evaluate AI research platforms on encryption (AES-256 at rest, TLS 1.2+ in transit), SOC 2 Type II attestation or roadmap, SSO/SAML, transparent sub-processors and data residency, annual penetration testing, audit logging with configurable retention, and a signable DPA. Koji runs on SOC 2 Type II-attested cloud infrastructure, uses AES-256 and TLS 1.2+, runs annual third-party pen tests, and publishes its compliance posture, with its own SOC 2 and ISO 27001 on a dated roadmap.","content":"## The Bottom Line\n\nWhen you bring an AI customer research platform into an enterprise, the buying decision is rarely made by the research team alone — it passes through security review, legal, and procurement. The platforms that clear that gate quickly share five traits: encryption in transit and at rest, a SOC 2 Type II attestation (or a credible, dated roadmap to one), SSO/SAML for access control, transparent sub-processor and data-residency disclosure, and a Data Processing Agreement (DPA) ready to sign. Koji is built on SOC 2 Type II-attested cloud infrastructure (AWS and Google Cloud), encrypts data with AES-256 at rest and TLS 1.2+ in transit, commissions independent annual penetration testing, and publishes its compliance posture openly — so your security review moves in days, not quarters.\n\nThis guide gives you the exact checklist to run a vendor security assessment on any AI research tool, and shows where Koji stands on each line item.\n\n## Why AI research platforms get extra scrutiny\n\nA customer research platform is not a low-stakes tool. It collects first-party voice and text from your customers, employees, or prospects — often including names, opinions about your product, and sometimes regulated personal data. The moment a platform records, transcribes, and analyzes those conversations with AI, three risks land on your security team's desk:\n\n- **Data exposure**: interview transcripts and recordings are sensitive. A breach is both a privacy incident and a competitive one.\n- **Sub-processor sprawl**: AI features route data to model providers, transcription engines, and analytics vendors. Each is a sub-processor your legal team must vet.\n- **Access control**: research data often gets shared widely inside a company. Without SSO and role-based permissions, that sharing becomes a liability.\n\nTraditional survey tools were never designed for this level of qualitative depth. AI-native platforms like Koji are — which means security is engineered in, not retrofitted.\n\n## The enterprise security checklist\n\nUse this checklist to evaluate any AI research vendor. Send it verbatim to your security team.\n\n### 1. Encryption\nConfirm encryption **in transit** (TLS 1.2 or higher) and **at rest** (AES-256). Ask whether certificate management is automatic and whether any data is ever stored unencrypted, even temporarily. *Koji: TLS 1.2+ in transit, AES-256 at rest, with automatic certificate management handled by the underlying cloud platform.*\n\n### 2. SOC 2 Type II\nThis is the single most common gate. Ask for the attestation report under NDA, or — if the vendor is earlier-stage — a dated roadmap with a defined audit period. Be wary of vendors who claim compliance with no report and no timeline. *Koji: runs on two SOC 2 Type II-attested cloud platforms (AWS and Google Cloud); Koji's own SOC 2 Type II and ISO/IEC 27001 attestations are on the published compliance roadmap with a defined target audit period.*\n\n### 3. Penetration testing\nAsk how often independent third-party penetration tests run and whether a summary letter is available. Annual cadence is the baseline. *Koji: independent third-party penetration testing is scoped on an annual cadence alongside its audit engagement.*\n\n### 4. SSO and access control\nFor any team over a handful of seats, SSO/SAML is non-negotiable — it lets you enforce your own password and MFA policy and deprovision instantly. Confirm role-based permissions so a viewer cannot edit studies or export raw data. *Koji: supports SSO/SAML and role-based access.*\n\n### 5. Sub-processors and data residency\nRequest the current sub-processor list and where data is stored and processed (region matters for GDPR and data-residency requirements). *Koji: publishes its sub-processor list and data-residency information on its compliance pages.*\n\n### 6. Audit logging and retention\nAsk whether administrative and authentication events are logged, how long logs are retained, and whether you control data-retention windows. *Koji: maintains database and authentication audit logs with configurable retention (up to six-year retention available by contract).*\n\n### 7. DPA and privacy framework\nConfirm a signable DPA, GDPR alignment, and support for data subject access and deletion requests. *Koji offers a DPA to business customers and is built for GDPR-aligned workflows including anonymization and deletion.*\n\n## How Koji is architected for enterprise trust\n\nKoji's approach to security follows a simple principle: collect rich qualitative data without becoming a liability. A few design choices matter here.\n\n**Async, link-based interviews reduce recording risk.** Because Koji interviews are conducted through a shareable link rather than a live, recorded video call, there is no third-party meeting recorder in the loop and consent is captured in the interview flow itself. Fewer moving parts means a smaller attack surface and a cleaner consent trail.\n\n**The quality gate limits unnecessary data processing.** Koji only counts conversations that score 3 or higher on its quality scale toward your plan — low-effort or junk sessions are filtered. That same gate means your analysis (and the data you retain) focuses on genuine signal.\n\n**Structured questions keep data predictable.** Koji supports six structured question types — open_ended, scale, single_choice, multiple_choice, ranking, and yes_no — so you decide exactly what is collected. Quantitative fields stay quantitative and predictable, while open-ended answers get AI follow-up probing. Knowing your data schema up front makes retention and anonymization policies far easier to enforce. See the [structured questions guide](/docs/structured-questions-guide) for the full breakdown.\n\n**Transparent posture, not vague assurances.** Koji publishes its security, sub-processor, incident-response, and certification-status pages openly. For a security reviewer, public documentation that names specifics (AES-256, TLS 1.2+, annual pen testing, six-year log retention) is worth more than a marketing claim of being enterprise-grade.\n\n## Running the vendor review efficiently\n\nA few practical tips to get research tools approved fast:\n\n1. **Loop security in during the trial, not after.** Send the checklist above the moment a tool reaches your shortlist. Security review is the longest pole — start it early.\n2. **Ask for documentation links, not promises.** A vendor that can point you to a live security page and a DPA template is one that has done this before.\n3. **Scope data minimization into your study design.** Use Koji's structured questions and screeners to collect only what you need. The less personal data you gather, the lighter your compliance burden.\n4. **Set retention deliberately.** Decide how long transcripts should live and configure retention accordingly rather than defaulting to forever.\n\n## Where this leaves you\n\nThe modern, AI-native research platforms win enterprise deals precisely because they treat security as a feature. With AES-256 encryption, SSO/SAML, annual penetration testing, transparent sub-processor disclosure, a signable DPA, and a published path to its own SOC 2 Type II and ISO 27001 attestations, Koji gives your security team the artifacts they need to say yes — while your research team gets AI voice and text interviews, automatic analysis, and real-time reports that traditional survey tools cannot match.\n\n## Red flags in a vendor security review\n\nA few warning signs should slow a purchase until they are resolved:\n\n- **Compliance claims with no artifact.** A vendor that says it is SOC 2 compliant but cannot share a report, a roadmap, or a status page is asserting something you cannot verify. Credible vendors point to documentation.\n- **No DPA, or a take-it-or-leave-it contract.** A platform handling customer conversations should expect to sign a DPA. Resistance here is a signal about how they treat data obligations generally.\n- **Vague sub-processor disclosure.** AI features route data to model and transcription providers. If a vendor cannot name its sub-processors, your legal team cannot assess the chain of custody.\n- **No SSO on business plans.** If single sign-on is locked away or unavailable, centralized access control and instant deprovisioning become manual and error-prone.\n- **Recorded live calls with no consent trail.** Tools that depend on third-party meeting recorders add a sub-processor and a consent burden. Koji's async, link-based interviews avoid both by capturing consent in the flow.\n\nScoring a shortlist against these red flags — alongside the seven-point checklist above — turns a subjective security conversation into a comparable, defensible evaluation you can document for procurement.\n\n## Related Resources\n\n- [Structured Questions Guide](/docs/structured-questions-guide) — the six question types and how they keep collected data predictable\n- [AI Interview Data Privacy & Security](/docs/ai-interview-data-privacy-security) — how interview data is protected end to end\n- [GDPR-Compliant AI User Research](/docs/gdpr-compliant-ai-user-research) — running research under GDPR\n- [HIPAA-Compliant AI User Research](/docs/hipaa-compliant-ai-user-research) — research in regulated healthcare settings\n- [Anonymizing Customer Interview Data](/docs/anonymizing-customer-interview-data) — de-identification best practices\n- [Exporting Research Data](/docs/exporting-research-data) — getting data out securely","category":"Research Operations","lastModified":"2026-06-26T03:21:35.094599+00:00","metaTitle":"Enterprise Security for AI Customer Research Platforms (SOC 2, SSO & Vendor Review)","metaDescription":"How to evaluate the security of an AI customer research platform: SOC 2, AES-256 encryption, SSO/SAML, data residency, sub-processors, and a procurement-ready vendor checklist.","keywords":["enterprise security","soc 2 research platform","ai research security","vendor security review","data residency","sso saml research tool","dpa research platform","secure customer research","penetration testing","customer research compliance"],"aiSummary":"Enterprise buyers evaluate AI research platforms on encryption (AES-256 at rest, TLS 1.2+ in transit), SOC 2 Type II attestation or roadmap, SSO/SAML, transparent sub-processors and data residency, annual penetration testing, audit logging with configurable retention, and a signable DPA. Koji runs on SOC 2 Type II-attested cloud infrastructure, uses AES-256 and TLS 1.2+, runs annual third-party pen tests, and publishes its compliance posture, with its own SOC 2 and ISO 27001 on a dated roadmap.","aiPrerequisites":["Basic familiarity with vendor security review","Understanding of your organization's compliance requirements"],"aiLearningOutcomes":["Run a structured security assessment on any AI research vendor","Distinguish credible security claims from marketing language","Understand Koji's encryption, SOC 2 posture, and access controls","Design studies that minimize data and ease compliance"],"aiDifficulty":"intermediate","aiEstimatedTime":"12 minutes"}],"pagination":{"total":1,"returned":1,"offset":0}}