New

Now in Claude, ChatGPT, Cursor & more with our MCP server

Koji
Why KojiUse casesCompareFAQ
Back to Koji for Education
Trust centreGDPR / AVGData processingAI governanceSecurityAccessibilitySub-processorsTOMCookies

Last updated: May 2026

Trust centre

Everything a privacy officer, procurement team, or accreditation committee needs to evaluate Koji for Education.

Our commitments

AVG/GDPR by design, with the university as controller
EU data residency for all student data
SURFconext SSO integration
Zero AI model training on student data
DPIA documentation provided to support institutional review
Data Processing Agreement aligned with SURF Model Verwerkersovereenkomst v4.0
EU AI Act classification assessment completed
Automatic PII redaction with human oversight
72-hour breach notification to the controller
Full data export and deletion on contract termination

Data residency

All data stored and processed in the EU

Database & auth

Supabase on AWS Frankfurt (eu-central-1)

Application hosting

Vercel EU region

Analytics

PostHog EU (Frankfurt)

No personal data is transferred outside the European Economic Area as part of standard platform operation. LLM inference uses the university's own enterprise AI accounts, keeping model provider choice and data residency under institutional control.

Certifications

In place

SOC 2 Type II (via infra)

Vercel and Supabase both hold SOC 2 Type II. Reports available on request.

In progress

ISO 27001

ISMS implementation underway. Target certification: Q4 2026.

Planned

SOC 2 Type II (Koji)

Following ISO 27001 certification.

Compliance documentation

GDPR / AVG

Documented

Lawful basis, data-subject rights, privacy by design, retention policies, DPIA approach, and cross-border transfer safeguards.

Data processing

Documented

Data Processing Agreement aligned with the SURF Model Verwerkersovereenkomst v4.0. Controller/processor responsibilities, audit rights, and termination procedures.

AI governance

Documented

EU AI Act classification, algorithmic transparency, human oversight, bias and fairness measures, and the no-training commitment.

Security

Documented

Infrastructure security, encryption, access controls, penetration testing, incident response, and business continuity.

Accessibility

In progress

WCAG 2.1 Level AA conformance, EN 301 549, alternative participation methods, and accessibility roadmap.

Sub-processors

Documented

Complete register of sub-processors with locations, purposes, and data processing agreement status.

Technical & organisational measures

Documented

Art. 32 GDPR TOM document covering all eight classical control categories: physical access, logical access, data access, transfer, input, commissioning, availability, and separation.

Cookie policy

Documented

Complete cookie register. Strictly necessary cookies only. No advertising, marketing, or cross-site tracking.

Compliance enquiries

For DPIA reviews, DPA negotiations, vendor security questionnaires, or any compliance question not covered here, contact us at compliance@koji.so or schedule a call with the team.

We are happy to participate in your institutional DPIA process, complete SURF or HECVAT vendor assessment questionnaires, and provide any additional documentation your privacy officer or procurement team requires.