Koji Compliance
Coverage matrix
Every regulation, framework, and standard Koji covers, in one table. Use it as a 30-second spot-check before drilling into a specific page.
Last updated: May 2026Applies to: All Koji enterprise deployments
How to read this page: Each row names a regulation or framework, the region it applies in, our current status, and a link to the page with detail. The status column is deliberately conservative. Where formal third-party certification is on the roadmap rather than in place today, we mark "Aligned" or "On roadmap" and document the interim controls in the linked page; we never label something "Certified" before the report is in hand.
Status legend
CoveredCovered: in force today; our standard operating practices satisfy the regulation
Covered with configCovered with config: in scope; finalized with per-customer contractual additions during enterprise onboarding
AlignedAligned: controls match the standard substantively; formal certification on the roadmap or scoped per engagement
On roadmapOn roadmap: scoped for a future audit period or release window; interim mitigations documented
On requestOn request: position confirmed per customer engagement and added to the matrix once reusable
Not applicableNot applicable: the framework governs a use case Koji is not built for (e.g. children under 13)
Privacy
| Framework | Region | Status | Notes |
|---|---|---|---|
| EU GDPR (Regulation 2016/679) | EU/EEA | Covered | Federal framework. Our DPA includes Article 28 clauses + EU SCCs. Detail. |
| UK GDPR + DPA 2018 | UK | Covered | Substantive twin of EU GDPR. UK Addendum to SCCs incorporated. Detail. |
| EU member state additions | EU member states | Covered | Netherlands UAVG, Germany BDSG, France, Spain, Italy, etc. Detail. |
| Swiss nFADP | Switzerland | Covered | GDPR-aligned; FDPIC addendum to SCCs on request. Detail. |
| CCPA / CPRA | US California | Covered | Service-provider clauses in DPA. Consumer rights supported. Detail. |
| US state privacy laws (VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, FDBR, +13 others) | US (state) | Covered | Twenty state laws covered by single operating program + DPA. Detail. |
| Canada PIPEDA + Quebec Law 25 | Canada | Covered | Accountability + DPA equivalence. Detail. |
| Brazil LGPD | Brazil | Covered | Controller/operator framework covered by DPA. Detail. |
| Singapore PDPA | Singapore | Covered | Data-intermediary contract in DPA. Detail. |
| Australia Privacy Act + APPs | Australia | Covered | Cross-border safeguards under APP 8 in DPA. Detail. |
| Japan APPI | Japan | Covered | EU adequacy applies; APPI cross-border requirements met. Detail. |
| South Korea PIPA | South Korea | Covered | Outsourcee role under Article 26. Korean-language docs on request. Detail. |
| South Africa POPIA | South Africa | Covered | Operator agreement equivalent on request. Detail. |
| India DPDPA 2023 | India | On request | Rules still being operationalized; per-customer position. Detail. |
Sectoral
| Framework | Region | Status | Notes |
|---|---|---|---|
| HIPAA (Health Insurance Portability and Accountability Act) | US (healthcare) | Covered | Enterprise-tier with BAA available on request. Standard tier not for PHI. Detail. |
| DORA (Digital Operational Resilience Act) | EU (financial services) | Covered with config | ICT third-party risk obligations addressed via contract addendum. Detail. |
| NIS2 Directive 2022/2555 | EU (cybersecurity) | Covered | Supply-chain obligations supported via DPA + IR + TOM. Detail. |
| GLBA (Gramm-Leach-Bliley Act) | US (financial) | On request | Service-provider role supported; financial institution responsibilities remain with customer. Detail. |
| FERPA (Family Educational Rights and Privacy Act) | US (education) | On request | School-official designation available; Koji for Education vertical for deeper coverage. Detail. |
| PCI DSS | Global (payments) | Aligned | Koji does not store payment card data; payment flow goes through Stripe (PCI DSS Level 1). Detail. |
| TISAX | Germany (automotive) | On request | Automotive customers can request a TISAX self-assessment aligned with our existing controls. Detail. |
| COPPA | US (children) | Not applicable | Koji is intended for adult research participants and is not marketed to children under 13. Research targeting minors requires per-engagement configuration. |
| FedRAMP | US (federal procurement) | On roadmap | On Koji's longer-term roadmap as US federal procurement demand emerges. |
| CMMC | US (defense contractors) | On roadmap | On the longer-term roadmap, scoped alongside FedRAMP. |
Security
| Framework | Region | Status | Notes |
|---|---|---|---|
| SOC 2 Type II | Global | On roadmap | Audit engagement scoped; target audit period to be published. Mitigating controls in place; subscribe to updates. Detail. |
| ISO/IEC 27001 | Global | On roadmap | Aligned with controls; certification on the medium-term roadmap. Detail. |
| ISO/IEC 27017 / 27018 | Global (cloud) | Aligned | Inherited from Vercel and Supabase; Koji adopts the equivalent control posture. |
| ISO/IEC 42001 (AI management systems) | Global (AI) | Aligned | Aligned with standard's clauses and Annex A controls; certification on roadmap. Detail. |
| CSA CAIQ Lite | Global | Covered | Pre-filled questionnaire available via the resources page. Detail. |
| Shared Assessments SIG Lite | Global | Covered | Pre-filled questionnaire available via the resources page. Detail. |
AI
| Framework | Region | Status | Notes |
|---|---|---|---|
| EU AI Act (Regulation 2024/1689) | EU | Aligned | Limited-risk use case; Article 50 transparency obligation met. Detail. |
Accessibility
Something missing?
If your evaluation requires a regulation or framework that is not on this list, email [email protected] and we will respond within one business day. Most additions are documented and published within five business days once the scope is confirmed.
Questions about this document? Contact compliance.Back to compliance hub