Updated: June 2026
Security & data protection
How Koji protects your data on the standard product — every plan, free and paid.
This page documents the data handling, hosting, and sub-processors that apply to all Koji accounts. Evaluating Koji for a larger deployment? The compliance hub holds the enterprise package (custom MSA, BAA, countersigned DPA, security questionnaires, and SOC 2 / ISO status under NDA).
Data residency & hosting
Koji is built and operated in the EU. For the standard product, both compute and your primary data live in the European Union by default:
- Application & compute run on Vercel in Paris, France (cdg1).
- Your database, accounts, and file uploads are stored on Supabase in Paris, France (eu-west-3).
- Product analytics (PostHog) and transactional email (Resend) are processed in the EU.
The AI and payment providers we rely on (Google Gemini, ElevenLabs, Stripe) are global, provider-managed services. The exact data each one receives is listed in the sub-processor table below. International transfers to these providers are governed by the European Commission's Standard Contractual Clauses and each provider's Data Processing Agreement. EU-resident AI processing is available as an enterprise option— Gemini via Google Vertex AI's EU regions and ElevenLabs via its EU data residency, with optional Zero-Retention voice mode.
Infrastructure security
Our platform is hosted on Vercel and Supabase— both SOC 2 Type II compliant and trusted by thousands of companies. Vercel provides edge infrastructure with automatic DDoS protection (Vercel Security). Supabase provides our database with row-level security, encrypted backups, and network isolation (Supabase Security).
Infrastructure is defined as code and replaced through a continuous deployment pipeline, keeping environments consistent and version-controlled.
Encryption
All data is encrypted in transit and at rest. We use TLS 1.2+ for data in transit and AES-256 for data at rest. Encryption adds a layer of protection against unauthorized access and man-in-the-middle attacks.
AI & your data
Koji's interviews and analysis are powered by Google's Gemini API. Your interview content and research data are sent to Gemini to run the AI interviewer, synthesize insights, and generate embeddings. Under Google's paid Gemini API terms, your prompts and outputs are not used to train Google's models.
Voice interviews additionally use ElevenLabs for speech synthesis and transcription. ElevenLabs may retain audio under its standard data-retention policy to operate the service, but does not use your audio to train its models.
Research data is processed in isolated, per-account contexts. We never sell your data, and we never use customer research content to train any Koji model. Teams that require their own model contract can bring their own API key (BYOK), so prompts route through their own provider account under their own terms.
Authentication & access control
Accounts are secured through Supabase Auth, with email/password and Google sign-in. Access to your data is enforced at the database layer with row-level security (RLS), so one account can never read another's studies, interviews, or uploads. Internal access to production follows least-privilege principles and is limited to the small team that operates the service.
Sub-processors
These are the third parties the standard product relies on, the data each receives, and where it's processed. The canonical, always-current list lives at /compliance/sub-processors.
| Provider | Purpose | Data handled | Region |
|---|---|---|---|
| Vercel, Inc. | Application hosting & serverless compute | Requests, app traffic, operational logs | EU — Paris (cdg1) |
| Supabase, Inc. | Database, authentication & file storage | Account data, studies, interview responses, uploads | EU — Paris (eu-west-3) |
| Google LLC — Gemini API | AI interviewer, analysis & embeddings | Interview prompts & responses, study content | Google-managed |
| ElevenLabs, Inc. | Voice synthesis & transcription (voice interviews) | Interview audio & transcripts | Provider-managed |
| Stripe, Inc. | Payments & billing | Billing details (card data held by Stripe, not Koji) | Global (Stripe-managed) |
| Resend, Inc. | Transactional email | Email address, message content | EU — Frankfurt |
| PostHog, Inc. | Product analytics | Pseudonymous usage events | EU (eu.i.posthog.com) |
| Google LLC — Calendar API | “Book a call” scheduling | Name, email, meeting time (only if you book a call) | Google-managed |
Our public marketing pages also use Google Analytics and Apollo for website-visitor analytics. These run only on the public site, not inside the product, and are covered by our Cookie Policy.
Data retention & deletion
Your research data is retained for as long as your account is active so you can return to your studies and insights. When you delete data or close your account, it is removed from our production systems within 30 days; encrypted backups roll off on their normal cycle shortly after. You can request export or deletion of your data at any time — see Privacy Policy.
Your privacy rights
Koji handles all customer and participant personal data in accordance with the GDPR, UK GDPR, and applicable US state privacy laws (including the CCPA). These rights — access, correction, deletion, portability, and objection — apply to every plan, not just enterprise. Requests are handled within the timelines those laws require.
A standard Data Processing Agreement is available to every business customer (a countersigned copy is provided on enterprise contracts). If you process personal data through Koji, the DPA governs that processing under GDPR Article 28.
Payment security
Koji never stores card or payment details. Payments are handled by Stripe, a PCI Service Provider Level 1 certified processor — the most stringent level available (Stripe security).
Reliability & monitoring
The platform is designed to be highly available and fault tolerant. We monitor continuously and route prioritized alerts to the responsible team. When an issue may affect your experience, we take ownership and keep you informed.
Certifications & audits
SOC 2 Type II and ISO 27001 are in progress. We operate against the underlying controls today, and our core infrastructure providers (Vercel, Supabase, Stripe) hold their own SOC 2 Type II / PCI certifications. We do not yet claim Koji-level SOC 2 or ISO certification; this page will be updated when those are awarded. Status and any auditor reports for enterprise evaluation are available under NDA via the compliance hub.
Documents for the standard product
The legal and compliance documents that apply to every Koji account:
- Privacy PolicyHow we handle personal data — applies to all users
- Terms of ServiceThe agreement governing your use of Koji
- Data Processing Agreement (DPA)GDPR Art. 28 processor terms — available to every business customer
- Sub-processorsThe full list of third parties, kept current
- Cookie PolicyCookies & website trackers we use
- GDPR overviewYour data-subject rights and how to exercise them
- CCPA / US state privacyRights for US-based users
- Security & privacy contactReach our team with a one-business-day response window
What's enterprise-tier
Everything above applies to all plans. A few items are reserved for enterprise contracts because they require negotiation or signature: a custom Master Services Agreement, a Business Associate Agreement (HIPAA), a countersigned DPA, region pinning, custom data-retention terms, and access to SOC 2 / ISO reports under NDA. You can find these in the compliance hub or by talking to our team.
Questions or vulnerability reports
For security questions, data requests, or to report a vulnerability, please contact us (select “Privacy & Legal”) or email [email protected]. We respond within one business day.