Sector frameworks

FERPA — US education

Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g. Protects the privacy of student educational records. Applies to educational agencies and institutions that receive funding from a US Department of Education program (most US universities, K–12 schools, and a large number of supporting institutions).

Koji's FERPA position

Koji can act as a "school official" with legitimate educational interest under FERPA's 34 CFR § 99.31(a)(1) exception, allowing US educational institutions to disclose student personally identifiable information (PII) to Koji without first obtaining parental or eligible-student consent. Conditions:

• The educational institution determines Koji performs a service that the institution would otherwise perform.
• Koji is under the direct control of the institution with respect to the use and maintenance of PII (operationalized through our DPA's processor commitments).
• Koji is subject to FERPA's re-disclosure and use limitations. Our DPA and operating practices commit to both.
• PII access is restricted to authorized institutional personnel and to Koji personnel with a need-to-know.

For US higher-education customers specifically, Koji also runs a dedicated Koji for Education product with separate compliance documentation tailored to European universities; the FERPA position above applies to the main Koji enterprise product for US institutions.

GLBA — US financial

Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §§ 6801–6809. Governs how financial institutions protect and share consumers' "nonpublic personal information" (NPI). Applies to US banks, securities firms, insurance companies, and many other entities considered "financial institutions" under the act.

Koji's GLBA position

• Koji is not itself a financial institution and is not directly regulated by GLBA. When a regulated financial institution uses Koji, the institution remains the GLBA- regulated entity.
• As a service provider receiving NPI from a regulated financial institution, Koji enters into the contract clauses required by the GLBA Safeguards Rule (16 CFR Part 314). Available as part of the enterprise contract on request.
• The technical safeguards we provide (encryption, access control, monitoring, incident response) align with the updated Safeguards Rule's requirements that came into effect in 2023.
• Customer notification of incidents involving NPI follows the GLBA-specific timeline overlaying our general incident response process.

Financial-institution customers in the EU/UK should also see DORA for the parallel European regime.

PCI DSS — payment card data

Payment Card Industry Data Security Standard (PCI DSS). Mandatory contractually for any organization that stores, processes, or transmits cardholder data. PCI DSS v4.0 is the current standard.

Koji's PCI DSS position

• Koji does not store, process, or transmit cardholder data. All payment flows go through Stripe (PCI DSS Level 1 service provider). Koji never sees primary account numbers, expiration dates, or CVVs.
• Stripe handles the entirety of the cardholder-data environment. See Stripe security for Stripe's PCI DSS certification.
• Koji holds Stripe customer IDs and invoice metadata, none of which is cardholder data under PCI DSS.
• For customers who require a vendor PCI DSS attestation, Koji refers them to Stripe's Attestation of Compliance (AOC).

TISAX — German automotive

Trusted Information Security Assessment Exchange (TISAX). The information-security assessment scheme used across the German automotive industry, derived from the VDA ISA catalog. Required by major German OEMs and their suppliers.

Koji's TISAX position

• A formal TISAX assessment is on Koji's roadmap as German automotive customer demand emerges. TISAX is a regional framework relevant primarily to vendors serving German automotive OEMs and their tier-1 / tier-2 suppliers.
• Koji's existing controls (see security overview and TOM) substantively cover the VDA ISA catalog at Assessment Level 1–2 (the standard level for most automotive suppliers).
• For German automotive customers evaluating today, Koji provides a self-assessment mapping our existing controls to VDA ISA requirements. A formal third-party TISAX assessment can be scoped as a customer-funded engagement if required for the contract.

COPPA — US children's privacy

Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6505. Governs collection of personal information from children under 13 in the US.

Koji is intended for adult research participants and is not marketed to children under 13. Customers designing research that may capture data from minors should contact [email protected] before deployment so the appropriate safeguards (parental- consent flow, content controls, retention) can be configured.

Public-sector frameworks on the longer-term roadmap

Several public-sector cybersecurity baselines are on Koji's longer-term roadmap and addressed as enterprise customer demand emerges:

• FedRAMP (US federal civilian / defense procurement) — on the longer-term roadmap. US federal procurement is not Koji's current customer focus; we evaluate FedRAMP authorization in step with that focus shifting.
• CMMC (US defense contractors) — on the longer-term roadmap, scoped to the same horizon as FedRAMP. Customers in the US defense industrial base should email [email protected] to discuss interim options.
• BSI C5 (German cloud baseline) — inherited at the AWS layer. German public-sector customers can request AWS's C5 statement as part of the evaluation. Koji-specific C5 attestation is on the roadmap as German public-sector demand emerges.
• SecNumCloud (French ANSSI cloud baseline) — on the roadmap as French defense-adjacent demand emerges. Available on request for in-scope customers.
• ENS (Spanish public-sector security baseline) — on the roadmap as Spanish public-sector demand emerges. Available on request for in-scope customers.

Something missing?

Sectoral frameworks proliferate. If your evaluation requires a framework not listed here, email [email protected]. We document a position within five business days and publish it on this page when it becomes reusable.