New

Now in Claude, ChatGPT, Cursor & more with our MCP server

Koji
ProductPricingEnterpriseAbout
Back to Koji
Koji Compliance

SOC 2 status

Where Koji currently stands on SOC 2, what's on the roadmap, and the controls in place today that will be the subject of the audit.

Last updated: May 2026Applies to: Koji B.V. as a service organization
Current status: SOC 2 Type II is on Koji's compliance roadmap. The controls that will be the subject of the audit are operational today and described in detail below. The audit-period start date will be published on this page as soon as it is scheduled with our independent auditor.

What SOC 2 is

SOC 2 is an independent attestation produced under the AICPA's Trust Services Criteria. A SOC 2 Type II report describes a service organization's controls and confirms that those controls operated effectively over a defined audit period (typically six to twelve months).

Type I reports describe controls at a point in time without operating-effectiveness testing. Most enterprise InfoSec teams ask for Type II rather than Type I, because Type II provides evidence that controls actually run as designed across a real time window.

How we publish status transparently

Some enterprise prospects ask for a current SOC 2 Type II report on the first call. Rather than respond reactively, we publish four pieces of information here, updated as the audit progresses:

  • The current audit phase and target audit period
  • The operational controls that will be the subject of the audit (already running today)
  • The upstream SOC 2 attestations we inherit from our platforms
  • The interim options enterprise customers commonly accept while the first report is in progress

Most enterprise teams accept this posture under a documented risk-acceptance process, often combined with a contractual commitment from Koji to deliver the Type II report by a specified date.

Planned scope

The first Type II report will cover the AICPA Trust Services Criteria for:

  • Security (mandatory; covers protection against unauthorized access)
  • Availability (system uptime and operational performance)
  • Confidentiality (data classified as confidential is protected)

Privacy and Processing Integrity criteria may be added in subsequent audit cycles based on customer demand.

Mitigating controls in place today

These are the controls that operate today and that will be evidence-gathered during the audit period. Each maps to the common SOC 2 control areas.

Access control

  • SAML SSO for enterprise customers; MFA for all Koji personnel
  • Role-based access at the team level (owner, admin, member)
  • Quarterly access review cadence in our documented policy; immediate revocation on role change or departure
  • Privileged production access scoped to named engineers

Change management

  • All code changes go through peer code review
  • Automated CI: type-check, lint, tests required to pass before merge
  • Versioned database migrations
  • Continuous deployment with one-minute rollback

Encryption

  • TLS 1.2 or higher in transit, HSTS enforced
  • AES-256 at rest for all data, including backups

Vendor management

  • Documented sub-processor register, public at /compliance/sub-processors
  • DPAs in effect with every sub-processor that handles customer personal data, via signed agreement or accepted standard terms
  • Customer notification of sub-processor changes thirty days in advance

Logging and monitoring

  • Application logs, infrastructure logs, database audit logs
  • Distributed tracing via Vercel OTel
  • Alerting on critical errors and security events
  • On-call rotation with documented escalation

Incident response

  • Documented IR procedure
  • 72-hour customer notification commitment in the DPA
  • Post-incident review for every incident

Vulnerability management

  • Automated dependency scanning on every pull request
  • Third-party penetration testing scoped on an annual cadence alongside the SOC 2 audit; redacted summary released under NDA once available
  • Public vulnerability disclosure policy with safe harbor

Business continuity

  • Continuous backups with point-in-time recovery
  • Target RTO four hours, target RPO one hour for the production system
  • Multi-AZ deployment within the customer's selected region

Upstream attestations we inherit

Koji runs on platforms that already hold SOC 2 Type II reports. This does not substitute for our own audit, but it does cover the underlying infrastructure layer:

  • Vercel (application hosting, edge): SOC 2 Type II. vercel.com/security
  • Supabase (database, authentication, storage): SOC 2 Type II. supabase.com/security
  • AWS and Google Cloud (underlying infrastructure): SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, PCI DSS, and many more.
  • Other sub-processors (see register) carry their own SOC 2 or equivalent attestations where applicable.

Subscribe to status updates

Email [email protected] with the subject "SOC 2 update subscription" to be notified when the audit period is set, when the audit completes, and when the report is available for download under NDA.

What to do if your procurement requires SOC 2 today

Several options work in practice:

  1. Risk-acceptance with a delivery commitment: Add a contractual clause requiring Koji to deliver a Type II report by a specified date. We sign this routinely with enterprise customers.
  2. Substitute with detailed control evidence: We provide a pre-filled CAIQ Lite or SIG Lite questionnaire, this document, and the upstream attestations from Vercel, Supabase, AWS, and Google Cloud. Many security teams accept this combination for short-term gap coverage.
  3. Pilot first, then enterprise contract: Run a scoped pilot under a limited-scope NDA while the audit completes; sign the full contract on Type II availability.

Email [email protected] to discuss which approach fits your procurement process.

Questions about this document? Contact compliance.Back to compliance hub