Koji Compliance hub.
Everything InfoSec, Legal, and Procurement need to evaluate Koji for enterprise deployment. Self-serve where possible, gated where the contract requires it, with a one-business-day response window for everything else.
Forwarding this to your security or legal team?
Send the right document bundle in one click. We email your team a branded summary, route replies back to you, and copy Koji compliance so we can follow up if helpful.
What's in this hub.
Koji is operated by Koji B.V., a Dutch private company. The contracting entity for every enterprise deployment is the same, regardless of where the customer is located. Customer data can be provisioned in either the European Union or the United States, depending on the residency option selected at contract signing.
This hub holds the documentation that comes up first in enterprise evaluation, organized into seven groups: an at-a-glance coverage matrix, legal contracts, security controls, regional privacy programs, sectoral frameworks, AI governance and accessibility, plus downloadable resources. Anything not published here is available by emailing our compliance team.
Overview
The 30-second answer to 'do you cover everything we need?'
Legal & contracts
Everything procurement and legal teams need to evaluate the relationship.
Data Processing Agreement
AvailableGDPR Article 28 processor agreement with EU Standard Contractual Clauses (2021) as annexes. Pre-signed by Koji, ready for counter-signature.
Sub-processor register
AvailableLive list of every third party that processes customer data, with purpose, region, and notification subscription.
Master Subscription Agreement
AvailableThe master commercial terms. Enterprise customers can negotiate a custom MSA as part of the contract.
Privacy notice
AvailableHow Koji collects, uses, and protects personal data across all services.
Cookie policy
AvailableCookie register and consent options, including the consent banner behavior.
Security & operations
Technical controls, infrastructure, and the procedures behind them.
Security overview
AvailableArchitecture, encryption (in transit + at rest), access controls, monitoring, and the upstream platforms we run on.
Technical & organizational measures
AvailableArticle 32 GDPR TOM document, structured across the eight classical control categories used in EU data-protection practice.
SOC 2 Type II
On roadmapOn the roadmap with a published target. Status, scope, and current mitigations published transparently.
ISO 27001 status
On roadmapAligned with the standard today; formal certification on the roadmap. Annex A mapping and inherited certifications documented.
Incident response
AvailableDetection, triage, containment, customer notification commitments, and post-incident review.
Vulnerability disclosure
AvailableResponsible disclosure policy, scope, safe harbor, and how researchers can report findings to [email protected].
Regional privacy
The privacy regime that applies in your region. The same Koji program satisfies all of them; the documentation flexes per jurisdiction.
GDPR (European Union)
AvailableRoles, lawful basis, data-subject rights, retention, cross-border transfers, and our supervisory authority.
UK GDPR
AvailableUK GDPR + Data Protection Act 2018, ICO supervision, and UK Addendum to the EU SCCs for international transfers.
EU member state requirements
AvailableNetherlands UAVG, Germany BDSG, France Loi Informatique, Spain LOPDGDD, Italy, Ireland, and other national additions to GDPR.
CCPA / CPRA (California)
AvailableCategories of personal information, consumer rights, disclosures, and how to exercise rights as a California resident.
US state privacy laws
AvailableVirginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Florida, Delaware, and the rest of the active state regimes.
International privacy laws
AvailableSwitzerland, Canada (PIPEDA + Quebec Law 25), Brazil (LGPD), Singapore (PDPA), Australia (Privacy Act), Japan (APPI), and more.
Sectoral & industry
Sector-specific frameworks for healthcare, financial services, cybersecurity, education, and payments.
HIPAA (US healthcare)
AvailableHIPAA-ready posture for enterprise deployments, with Business Associate Agreement available on request.
DORA (EU financial services)
AvailableEU Digital Operational Resilience Act third-party ICT risk-management addendum for financial-entity customers.
NIS2 (EU cybersecurity)
AvailableSupply-chain cybersecurity obligations cascaded from in-scope essential and important entities.
Sector frameworks
AvailableFERPA (education), GLBA (financial), PCI DSS (payments), TISAX (German automotive), COPPA, and more.
AI governance & accessibility
How Koji approaches AI responsibility and accessible product design.
Resources
Downloads, contacts, and request flows.
Downloadable documents
AvailableDPA PDF, security overview PDF, pre-filled CAIQ Lite security questionnaire, and the standard request flow for gated items.
Contact compliance
AvailableEmail addresses for security, privacy, legal, and data protection inquiries. Standard response window is one business day.
Have a question we haven't answered?
Email [email protected] for legal or DPA questions, [email protected] for security questionnaires and incident reports, and [email protected] for data-subject requests and privacy concerns. Standard response window is one business day.