Technical & organizational measures

Purpose and scope

This document forms part of the Data Processing Agreement between Koji B.V. and each enterprise customer. It describes the technical and organizational measures (TOM) implemented to protect personal data processed through the Koji platform. The measures are reviewed at least annually and whenever significant changes occur to the processing environment.

1. Physical access control

Measures to prevent unauthorized persons from gaining physical access to systems used to process personal data.

Koji operates no physical data centers. All processing infrastructure runs on managed cloud platforms whose physical security has been independently audited:

• Database, authentication, storage: Supabase, running on AWS or Google Cloud regions selected per customer contract. AWS and Google Cloud data centers implement perimeter fencing, 24/7 security staff, CCTV surveillance, biometric access controls, mantrap entry points, and visitor logging.
• Application and edge compute: Vercel, running on multiple cloud providers with equivalent physical-security posture.

No Koji personnel have physical access to any data center. All administration is performed remotely over encrypted connections with MFA.

2. Logical access control

Measures to prevent unauthorized use of data processing systems.

• Customer authentication: SAML SSO via the customer's identity provider is the default for enterprise deployments. Koji never stores or handles institutional passwords.
• MFA: Required for all Koji personnel accessing production systems.
• Least privilege: Access is granted only for the minimum scope and minimum duration required.
• Privileged access: Production administrative access is scoped to a defined set of named engineers and is logged.
• Access reviews: Quarterly cadence in Koji's documented access-management policy; revocation is immediate on role change or departure.

3. Data access control

Measures to ensure that persons entitled to use a data processing system have access only to those personal data to which they have a right.

• Tenant isolation at the database level: Every enterprise customer receives a dedicated database instance, not a shared schema.
• Row-level security: Within a customer's database, Postgres row-level security policies enforce that every read and write is scoped to the authenticated user and their team.
• Role-based access: Within a customer team, roles (owner, admin, member) determine which actions a user can perform.
• Audit logging: Every administrative action and every authentication event is logged with actor, time, target, and source IP.

4. Transfer control

Measures to ensure that personal data cannot be read, copied, modified, or removed without authorization during transmission or transport.

• TLS 1.2 or higher for all client and server-to-server communication, with HSTS enforced.
• AES-256 encryption at rest for database storage, file storage, and backups.
• No transmission of personal data over unencrypted email or unencrypted file transfer.
• Sub-processors are bound by signed Data Processing Agreements requiring equivalent transfer-control measures.
• Cross-border transfers outside the EEA are governed by the European Commission's 2021 Standard Contractual Clauses, incorporated into Koji's DPA.

5. Input control

Measures to ensure that it is possible to check and establish whether and by whom personal data has been input into, modified, or removed from data processing systems.

• Every write operation to customer data is associated with an authenticated actor, time, and source IP, and recorded in audit logs.
• Database changes are versioned through application logic; rows carry created_at, updated_at, and where appropriate, deleted_at metadata.
• Soft deletion is used for primary customer entities; hard deletion is performed on retention-policy expiry or upon verified data-subject erasure request.

6. Job control

Measures to ensure that personal data processed on behalf of others can be processed only in accordance with the controller's instructions.

• The Master Subscription Agreement and the Data Processing Agreement together constitute the controller's complete and documented instructions.
• Koji personnel are trained on the no-secondary-use principle: customer data is processed only to deliver the contracted service.
• Sub-processors are engaged only with controller authorization (general written authorization in the DPA, with thirty-day notice for changes).
• Each sub-processor is bound by a written agreement imposing equivalent data-protection obligations.

7. Availability control

Measures to ensure that personal data are protected against accidental destruction or loss.

• Continuous, encrypted backups with point-in-time recovery available within the customer's contracted region.
• Multi-availability-zone deployment within the selected region.
• Documented business continuity and disaster recovery plan with target Recovery Time Objective of four hours and target Recovery Point Objective of one hour.
• Cross-region replication available on request as part of the enterprise contract.
• Production monitoring with on-call rotation; critical alerts fire within minutes of detection.

8. Separation control

Measures to ensure that personal data collected for different purposes can be processed separately.

• Per-customer database isolation at the enterprise tier ensures controller data is never co-located with another controller's data.
• Within a customer database, data segregation by team and by project is enforced by row-level security.
• Development, staging, and production environments are fully separate, with no production data in non-production systems.
• When AI providers are used (with the customer's consent for Koji-recommended models, or with the customer's own keys), requests carry no cross-customer context and providers are contractually prevented from training on customer data.

Review cadence

These measures are reviewed and updated at least annually and whenever significant changes occur to the processing environment. The "Last updated" date at the top of this page reflects the most recent review.