New

Now in Claude, ChatGPT, Cursor & more with our MCP server

Koji
ProductPricingEnterpriseAbout
Back to Koji
Koji Compliance

GDPR compliance

How Koji aligns with the EU General Data Protection Regulation (2016/679) and equivalent national laws in the EEA, Switzerland, and the United Kingdom.

Last updated: May 2026Applies to: All processing of EU personal data by Koji B.V.

Roles and responsibilities

Under GDPR Article 4, the controller is the entity that determines the purposes and means of processing personal data. The processor is the entity that processes personal data on behalf of the controller.

In every enterprise relationship, the customer is the controller of the personal data uploaded to or generated through the Koji platform. Koji B.V. acts exclusively as a processor. Koji does not determine the purposes of processing, does not combine data across customers, and does not use customer data for any purpose beyond delivering the contracted service.

This allocation is formalized in the Data Processing Agreement signed between Koji and each customer.

Lawful basis (controller responsibility)

Establishing and documenting the lawful basis for processing under Article 6 is the responsibility of the controller (the customer). Koji supports whichever lawful basis the controller selects. Common bases for customer research include:

  • Article 6(1)(a) — consent from the data subject, where the customer has obtained explicit, informed, freely-given, and revocable consent before processing.
  • Article 6(1)(b) — performance of a contract to which the data subject is a party, where the research forms part of fulfilling the customer's service obligations to the participant.
  • Article 6(1)(f) — legitimate interests of the controller, where the controller has documented a balancing test against the data subject's interests, rights, and freedoms.

Where Article 9 special categories of data (health, biometric, ethnic origin, and so on) might be processed, the controller is responsible for identifying and documenting the applicable Article 9 condition before collection begins. The platform is not configured for Article 9 data by default; customers planning to process such data should contact [email protected] to configure appropriate safeguards.

Data subject rights

Koji enables the controller to respond to data subject requests under Articles 15 to 22 within the GDPR's one-month statutory window. The platform provides functionality and operational support for each right:

  • Right of access (Article 15): Customers can export a data subject's records, including transcripts and metadata, in a structured format.
  • Right to rectification (Article 16): Customer administrators can correct or update personal data through the platform.
  • Right to erasure (Article 17): On verified request, Koji erases the data subject's personal data within fifteen days, including from backups according to the documented backup-rotation policy.
  • Right to restriction (Article 18): Records can be flagged for restricted processing within the platform.
  • Right to data portability (Article 20): Structured export formats (CSV, JSON) are available for the full data subject record.
  • Right to object (Article 21): Customer administrators can disable further processing for a given data subject.
  • Rights related to automated decision-making (Article 22): Koji's AI-generated insights are intended to support human decision-making, not to make decisions producing legal or similarly significant effects on data subjects. Where a customer plans to integrate Koji outputs into such decision-making, additional safeguards apply; contact [email protected].

Where Koji receives a data subject request directed at a customer's data, Koji forwards the request to the customer without responding to it directly, in line with the DPA.

Privacy by design and by default (Article 25)

  • Data minimization: The platform captures only the data needed to deliver the contracted service.
  • Purpose limitation: Customer data is processed only to deliver the platform; it is never used to train AI models, never aggregated across customers, and never sold or shared with third parties for marketing.
  • Storage limitation: Customer-configurable retention policies allow controllers to define how long conversation data is kept; defaults are set conservatively and can be tightened per project.
  • Pseudonymization and access controls: Authentication, authorization, and audit logging are built into the platform from the foundation up.

Retention

Default retention periods apply unless overridden in the customer contract. Enterprise customers can set per-project retention policies within the platform. On termination of the subscription, all customer personal data is deleted within thirty days unless the customer requests earlier deletion in writing.

Records of processing (Article 30)

Koji maintains a Record of Processing Activities (ROPA) covering all processing carried out as a processor. The ROPA is available to controllers and to supervisory authorities on request.

Data Protection Impact Assessment (Article 35)

Where the customer's intended use of Koji constitutes a likely high risk to data subjects (for example, large-scale processing of special categories of data), the customer is responsible for carrying out a Data Protection Impact Assessment. Koji provides a DPIA support pack containing the technical descriptions and risk-mitigation information needed to complete the assessment; request it from [email protected].

Breach notification (Article 33)

Koji notifies the controller of any personal data breach affecting the controller's data without undue delay and within seventy-two hours of becoming aware, in line with the DPA. The notification includes the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.

Cross-border transfers

Where the customer selects EU data residency, customer personal data is stored and processed in the European Union and is not transferred outside the EEA in the normal course of operations.

Where transfers outside the EEA are necessary (for example, when the customer selects US residency, or when a sub-processor's global operations involve incidental transfers), the parties rely on the European Commission's 2021 Standard Contractual Clauses (Module Two: controller to processor) as incorporated into the DPA, together with the supplementary measures documented in the DPA and in our Technical & Organizational Measures.

A Transfer Impact Assessment is available on request to support the controller's own due diligence.

European representative (Article 27)

Koji B.V. is established in the European Union (Netherlands), so no separate Article 27 representative is required.

Data Protection Officer / Compliance contact

Koji has designated a data-protection contact reachable at [email protected]. For compliance and contract questions, use [email protected].

Supervisory authority

Koji B.V.'s lead supervisory authority is the Dutch Autoriteit Persoonsgegevens (AP). Data subjects in the EU have the right to lodge a complaint with their local supervisory authority.

Related coverage

  • UK GDPR — for UK data subjects post-Brexit; substantively identical, with UK Addendum to SCCs.
  • EU member state requirements — Netherlands UAVG, Germany BDSG, France, Spain, Italy, and other national additions to GDPR.
  • International privacy laws — Switzerland, Canada, Brazil, Singapore, Australia, Japan, and more.
  • NIS2 — EU cybersecurity obligations that cascade to Koji as a vendor of in-scope customers.
Questions about this document? Contact compliance.Back to compliance hub