New

Now in Claude, ChatGPT, Cursor & more with our MCP server

Koji
Why KojiUse casesCompareFAQ
Back to Koji for Education
Trust centreGDPR / AVGData processingAI governanceSecurityAccessibilitySub-processorsTOMCookies

Last updated: May 2026

Security

Infrastructure security, encryption, access controls, penetration testing, incident response, and business continuity measures that protect institutional data in Koji for Education.

Infrastructure

Koji for Education runs on a modern, cloud-native stack selected for security posture, compliance credentials, and European data residency.

Hosting providers

The application layer is hosted on Vercel (edge compute and static delivery). Database, authentication, and file storage are managed by Supabase on AWS Frankfurt (eu-central-1). Both providers maintain SOC 2 Type II certifications. Each institution operates in a fully isolated environment: database schemas, authentication, storage, and application state are separated at the infrastructure level, ensuring that a security incident affecting one tenant cannot expose data from another.

Infrastructure as Code

All infrastructure configuration is version-controlled and deployed through automated pipelines. There are no manual server provisioning steps. Changes to infrastructure follow the same pull-request review process as application code, ensuring auditability and reproducibility.

Automatic scaling

Both Vercel and Supabase provide automatic horizontal scaling. The application layer scales to zero when idle and scales out in response to load without manual intervention. This eliminates capacity planning as a failure mode and ensures availability during peak usage periods such as exam seasons.

Encryption

Data in transit

All data transmitted between clients and Koji servers is encrypted using TLS 1.3. Older TLS versions (TLS 1.0, 1.1, 1.2) are not supported. HSTS (HTTP Strict Transport Security) headers are enforced across all endpoints with a minimum max-age of one year, preventing protocol downgrade attacks. Certificate transparency is enforced by the CDN layer.

Data at rest

All data at rest, including database contents, file uploads, and backups, is encrypted using AES-256-GCM. Database encryption is managed natively by Supabase/AWS at the storage layer using AWS Key Management Service (KMS). Backup files are encrypted independently of the primary data store. Koji does not store, handle, or rotate encryption keys manually.

Key management

Encryption keys are managed through the key management services (KMS) provided by each infrastructure provider. Koji does not store, handle, or rotate encryption keys manually. Key rotation follows the schedules and policies of the respective provider KMS implementations.

Access controls

Role-based access control

Koji implements role-based access control (RBAC) at the application level. Permissions are assigned by role, not by individual user, and follow the principle of least privilege. Each role grants only the minimum permissions required for its function.

Authentication

Institutional users authenticate via native SAML SSO through Supabase, integrating with the university's identity provider (including SURFconext for Dutch institutions). This means Koji never stores or handles institutional passwords. Multi-factor authentication (MFA) is required for all administrative access to Koji systems, including production infrastructure and deployment pipelines.

Account policies

Shared accounts are not permitted. Every user, whether student, staff, or administrator, has an individual account with an auditable identity. Sessions are managed with configurable inactivity timeouts, and session tokens are invalidated on logout.

Network security

DDoS protection

Vercel's global edge network provides built-in distributed denial-of-service (DDoS) protection. Traffic is filtered at the edge before reaching application servers, mitigating volumetric and application-layer attacks.

Web Application Firewall

A Web Application Firewall (WAF) is deployed in front of the application layer, filtering malicious requests including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 attack vectors.

API rate limiting

All API endpoints are rate-limited to prevent abuse and brute-force attacks. Rate limits are configured per endpoint based on expected usage patterns and are monitored for anomalies.

Database isolation

The database is not directly accessible from the public internet. All database communication occurs over private, encrypted connections between the application layer and Supabase. Inter-service communication is encrypted in transit at all times.

Penetration testing

Koji conducts annual independent penetration testing performed by a qualified third-party security firm. The scope of each engagement covers:

  • Web application testing against the OWASP Top 10 vulnerability categories
  • API security testing covering authentication, authorisation, input validation, and business logic flaws
  • Infrastructure testing of cloud configuration, network segmentation, and access controls
  • AI/ML-specific testing including prompt injection attacks, data extraction attempts, and model output manipulation

Critical and high-severity findings are remediated within 30 days of the final report. Medium-severity findings are tracked and remediated according to a risk-based prioritisation schedule.

An executive summary of the most recent penetration test is available to prospective and current institutional clients under a mutual non-disclosure agreement (NDA). Contact security@koji.so to request a copy.

Vulnerability management

Dependency scanning

Automated dependency scanning runs on every code change and on a scheduled basis. Known vulnerabilities in third-party packages are flagged and prioritised for remediation based on severity and exploitability.

Patching

Koji maintains a regular patching schedule. Critical security patches are applied within 48 hours of disclosure. Non-critical patches follow a standard release cycle. Infrastructure provider patches (Vercel, Supabase) are applied automatically by the respective platforms.

Responsible disclosure

Koji publishes a responsible disclosure policy (see below) and monitors security advisories for all dependencies used in production.

Incident response

Incident response plan

Koji maintains a documented incident response plan structured around five phases:

  1. Detection and identification: automated monitoring, alerting, and log analysis identify potential incidents. Severity is classified as critical, high, medium, or low based on impact to data confidentiality, integrity, or availability.
  2. Triage and containment: the incident is assessed, affected systems are isolated, and immediate containment measures are applied to prevent further impact.
  3. Eradication: the root cause is identified and eliminated. Affected systems are cleaned, patched, or rebuilt as necessary.
  4. Recovery: services are restored from known-good state. Data integrity is verified. Systems are monitored for recurrence.
  5. Post-incident review: a root cause analysis is conducted and findings are documented (see below).

The plan assigns clear roles and responsibilities and includes escalation paths for each severity level.

Breach notification

In the event of a personal data breach, Koji will notify the data controller (the institution) within 24 hours of becoming aware of the breach. This is ahead of the GDPR requirement of 72 hours and reflects our commitment to transparency with institutional partners. The notification will include:

  • The nature of the personal data breach
  • The categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach and mitigate its effects

Post-incident review

Every security incident is followed by a post-incident review and root cause analysis. Findings are documented and fed back into the security programme to prevent recurrence. Where relevant, lessons learned are shared with affected institutions.

Tabletop exercises

The incident response plan is tested annually through tabletop exercises that simulate realistic breach scenarios. These exercises validate the response process, identify gaps, and ensure the team is prepared to execute the plan under pressure.

Business continuity

Recovery objectives

Koji targets a Recovery Point Objective (RPO) of 24 hours, meaning that in a worst-case data loss scenario, no more than 24 hours of data would be lost. The Recovery Time Objective (RTO) is 4 hours, meaning the service is designed to be restored within 4 hours of a major disruption.

Backups

Database backups are automated and run daily. Supabase additionally provides point-in-time recovery (PITR), allowing restoration to any point within the retention window. Backups are retained for a minimum of 30 days, stored in a separate availability zone from the primary data store, and encrypted at rest using AES-256. Backup restoration is tested periodically to verify recoverability and measure actual recovery times against the stated RTO.

Failover

The infrastructure supports multi-region failover capability. In the event of a regional outage at a hosting provider, traffic can be redirected to a secondary region. Disaster recovery procedures are documented and tested annually.

Employee security

All employees and contractors with access to production systems undergo background checks prior to receiving access. Security measures for internal staff include:

  • Security awareness training provided to all team members, with refresher sessions conducted periodically
  • Confidentiality agreements signed by every employee and contractor
  • Principle of least privilege applied to all internal access; production access is granted only to those who require it for their role
  • Access logging and review ensuring that access to sensitive systems is logged, auditable, and reviewed on a regular basis

Access is revoked promptly upon role change or departure.

Certifications and compliance standards

We believe in being transparent about what is certified today, what is in progress, and what is planned. The following reflects the current state as of May 2026.

In place today

  • SOC 2 Type II via infrastructure providers: both Vercel and Supabase hold SOC 2 Type II certifications. Koji relies on these certifications for infrastructure-level controls and makes their reports available upon request.
  • SURF security questionnaire: completed and available for institutional review.
  • GDPR/AVG compliance: documented across our GDPR policy and Data Processing Agreement.

In progress

  • ISO 27001 certification: Koji has begun the implementation of an Information Security Management System (ISMS) aligned with ISO 27001. The target for certification is Q4 2026. This will provide independent, audited assurance of our security controls and processes.

Planned

  • SOC 2 Type II (Koji-specific): following ISO 27001 certification, we plan to pursue a Koji-specific SOC 2 Type II audit to complement the infrastructure-provider certifications already in place.

We are happy to discuss our certification timeline in more detail and to provide evidence of controls that are in place today, even where formal certification is still in progress.

Responsible disclosure

We welcome reports of security vulnerabilities from the research community and the public. If you believe you have found a security issue in Koji, please report it to us responsibly.

How to report

Send a detailed description of the vulnerability, including steps to reproduce, to security@koji.so. Please include your contact information so we can follow up if needed.

Our commitments

  • Acknowledge receipt of your report within 48 hours
  • Provide an initial assessment within 5 business days
  • Work to resolve confirmed vulnerabilities within 90 days, with critical issues prioritised for faster remediation
  • Keep you informed of progress toward resolution, where permitted
  • Not pursue legal action against researchers who report vulnerabilities in good faith and in accordance with this policy

We ask that reporters do not publicly disclose vulnerabilities before we have had a reasonable opportunity to address them, and that testing does not access, modify, or delete data belonging to other users.

Questions

For security questionnaires, penetration test summaries, or any security-related enquiry, contact security@koji.so or schedule a call with the team.

For the formal Art. 32 GDPR technical and organisational measures document, see the TOM page.