Last updated: May 2026
Sub-processors
Complete register of third-party sub-processors that process personal data on behalf of Koji for Education, including their locations, purposes, and data processing agreement status.
What are sub-processors?
Sub-processors are third-party service providers that process personal data on Koji's behalf in order to deliver the Koji for Education platform. As processor, Koji engages sub-processors only with the controller's prior consent, as specified in the Data Processing Agreement (DPA). Any changes to the sub-processor register are notified to the controller at least 30 days in advance of the change taking effect.
Each sub-processor listed below operates under a signed Data Processing Agreement that imposes obligations equivalent to those in Koji's own DPA with the controller. Koji remains fully liable for the acts and omissions of its sub-processors in relation to the processing of personal data.
Sub-processor register
| Sub-processor | Purpose | Data processed | Location | DPA status |
|---|---|---|---|---|
| Vercel Inc. | Application hosting, edge compute, CDN | Application data, session data, server logs | EU (Frankfurt) | Signed |
| Supabase Inc. (AWS Frankfurt) | Database hosting, authentication (SAML SSO), storage | All persistent data (conversations, user accounts, reports). Fully isolated per institution. | EU (Frankfurt, AWS eu-central-1) | Signed |
| PostHog Inc. | Product analytics and session replay | Anonymised usage events, page views (no PII stored) | EU (Frankfurt) | Signed |
LLM infrastructure and data sovereignty
Koji does not operate its own LLM inference infrastructure and does not list LLM providers as sub-processors. Instead, each university connects Koji to their own enterprise LLM accounts. Conversation data flows through the institution's existing enterprise AI agreements, meaning the university retains full control over the model provider relationship, data processing terms, and residency requirements.
This architecture has a significant compliance advantage: student conversation data never passes through a third-party AI provider that Koji controls. The university's own enterprise agreement governs how the LLM provider handles input and output data, and the institution can verify those terms directly with their provider.
For institutions that do not have an existing enterprise LLM agreement, Koji offers EU-native LLM alternatives on request. In that configuration, the EU-native provider would be added to the sub-processor register with the controller's prior consent, and a Data Processing Agreement would be executed before any data is processed.
Tenant isolation
Each institution operates in a fully isolated environment. Database schemas, authentication, storage, and application state are separated at the infrastructure level. In the event of a security incident affecting one tenant, no data from other institutions is exposed or affected. This isolation is enforced at the Supabase (AWS Frankfurt) layer and verified through regular security testing.
Change notification
When Koji intends to add a new sub-processor or replace an existing one, the controller is notified at least 30 days before the change takes effect. The notification includes the identity of the new sub-processor, its location, the purpose of the processing, and the categories of personal data involved.
The controller may object to the proposed change within the 30-day notice period. If the controller raises an objection, Koji will make reasonable efforts to provide an alternative solution that avoids the use of the objected-to sub-processor. If the objection cannot be resolved to the controller's reasonable satisfaction, the controller may terminate the Data Processing Agreement in accordance with the termination provisions of the DPA, without penalty.
Contact
For questions about sub-processors, to request copies of sub-processor DPAs, or to subscribe to change notifications, contact compliance@koji.so.