New

Now in Claude, ChatGPT, Cursor & more with our MCP server

Koji
Why KojiUse casesCompareFAQ
Back to Koji for Education
Trust centreGDPR / AVGData processingAI governanceSecurityAccessibilitySub-processorsTOMCookies

Last updated: May 2026

Technical & organisational measures

Article 32 GDPR technical and organisational measures (TOM) implemented by Koji B.V. to protect personal data processed through Koji for Education. Structured according to the eight classical TOM categories used in German and Dutch data protection practice.

Purpose and scope

This document describes the technical and organisational measures (TOM) that Koji B.V. implements to ensure a level of security appropriate to the risk, in accordance with Article 32 of the General Data Protection Regulation (EU 2016/679). These measures form an integral part of the Data Processing Agreement between Koji and each institutional controller.

The measures described here apply to all personal data processed through the Koji for Education platform, including student conversation data, instructor data, and administrative data. They are reviewed and updated at least annually, and whenever significant changes to the processing environment occur.

1. Physical access control

Measures to prevent unauthorised persons from gaining physical access to data processing equipment.

Koji does not operate its own data centres or on-premises servers. All data processing infrastructure is hosted by cloud service providers that maintain their own physical access controls:

  • Supabase (AWS Frankfurt, eu-central-1): AWS data centres implement multi-layered physical security including perimeter fencing, 24/7 security staff, CCTV surveillance, biometric access controls, mantrap entry points, and visitor logging. AWS holds ISO 27001, SOC 2 Type II, and C5 certifications. Physical access is restricted to authorised AWS personnel with background checks.
  • Vercel (edge compute): Vercel operates on AWS and other cloud infrastructure providers. The same physical security measures apply at the infrastructure layer. Vercel holds SOC 2 Type II certification.

Koji employees do not have physical access to any data centre environment. All system administration is performed remotely over encrypted connections with multi-factor authentication.

2. Logical access control

Measures to prevent unauthorised use of data processing systems.

  • Authentication: institutional users authenticate via native SAML SSO through the university's identity provider (including SURFconext for Dutch institutions). Koji never stores or handles institutional passwords.
  • Multi-factor authentication: MFA is required for all administrative access to production infrastructure, deployment pipelines, and Koji internal systems.
  • Session management: sessions are managed with configurable inactivity timeouts. Session tokens are invalidated on logout and cannot be reused.
  • No shared accounts: every user, whether student, staff, or administrator, has an individual account with an auditable identity.
  • Password policy (internal systems): minimum 16 characters, complexity requirements, no password reuse. Where possible, passwordless authentication (hardware keys, passkeys) is used.
  • Automated lockout: repeated failed authentication attempts trigger rate limiting and account lockout.

3. Data access control

Measures to ensure that authorised users can only access data they are entitled to, and that personal data cannot be read, copied, modified, or removed without authorisation.

  • Role-based access control (RBAC): permissions are assigned by role (student, instructor, programme manager, administrator, operations admin), not by individual user. Each role grants only the minimum permissions required for its function, following the principle of least privilege.
  • Tenant isolation: each institution operates in a fully isolated environment. Database schemas, authentication, storage, and application state are separated at the infrastructure level. Data from one institution is never accessible to another.
  • Row-level security (RLS): Supabase row-level security policies enforce data access boundaries at the database layer. Even if an application-level bug occurs, the database itself prevents cross-tenant or cross-role data access.
  • PII redaction: personally identifiable information is automatically redacted from conversation data before it appears in summaries and reports accessible to instructors and programme managers.
  • Internal access: Koji staff access to production data is restricted to a limited number of authorised personnel, logged, and subject to the principle of least privilege. Access is reviewed quarterly.

4. Transfer control

Measures to ensure that personal data cannot be read, copied, modified, or removed without authorisation during electronic transfer or storage, and that the recipients of data transfers can be verified.

  • Encryption in transit: all data transmitted between clients and Koji servers is encrypted using TLS 1.3. Older TLS versions are not supported. HSTS (HTTP Strict Transport Security) headers are enforced across all endpoints, preventing protocol downgrade attacks.
  • Encryption at rest: all data at rest is encrypted using AES-256-GCM. This includes database contents, file uploads, and backups. Encryption is managed natively by Supabase/AWS at the storage layer.
  • Key management: encryption keys are managed through AWS Key Management Service (KMS). Koji does not store, handle, or rotate encryption keys manually. Key rotation follows AWS KMS automated schedules.
  • No unencrypted transfer: personal data is never transferred over unencrypted channels. Email is not used to transfer personal data.
  • EU data residency: all personal data is stored and processed within the European Union (AWS Frankfurt, eu-central-1). No personal data is transferred outside the EEA as part of standard platform operation.
  • Sub-processor oversight: all sub-processors operate under signed Data Processing Agreements with equivalent data protection obligations. The complete sub-processor register is published at /edu/compliance/sub-processors.

5. Input control

Measures to ensure that it is possible to verify and establish whether and by whom personal data has been entered, modified, or removed from data processing systems.

  • Audit logging: all significant data operations are logged, including user authentication events, data access events, configuration changes, and administrative actions. Logs include timestamps, user identifiers, action types, and affected resources.
  • Immutable audit trail: audit logs are stored separately from application data and are protected against modification or deletion.
  • Log retention: server logs and audit logs are retained for 90 days for security monitoring and incident investigation.
  • Version control: all application code and infrastructure configuration is version-controlled in Git. Every change is attributable to an individual, reviewed via pull request, and deployed through automated pipelines.

6. Commissioning control

Measures to ensure that personal data processed on behalf of the controller is processed solely in accordance with the controller's instructions.

  • Data Processing Agreement: every institutional deployment is governed by a signed DPA aligned with the SURF Model Verwerkersovereenkomst v4.0. The DPA documents the subject matter, duration, nature, and purpose of processing, the types of personal data, and the categories of data subjects.
  • Documented instructions: Koji processes personal data solely on the documented instructions of the controller, except where required by EU or Member State law.
  • Sub-processor approval: sub-processors are engaged only with the controller's prior consent. Changes to sub-processors are notified at least 30 days in advance.
  • Audit rights: the controller has the right to audit Koji's compliance with the DPA, either directly or through a mandated independent auditor.
  • Employee obligations: all Koji employees and contractors are bound by confidentiality agreements and receive data protection training.
  • No independent use: Koji does not use personal data for its own purposes, does not combine data across institutions, and does not use personal data to train AI models.

7. Availability control

Measures to ensure that personal data is protected against accidental destruction or loss.

  • Automated backups: database backups run daily and are stored in a separate availability zone from the primary data store. Backups are encrypted at rest using AES-256.
  • Point-in-time recovery: Supabase provides point-in-time recovery (PITR), allowing restoration to any point within the backup retention window.
  • Backup retention: backups are retained for a minimum of 30 days.
  • Backup testing: backup restoration is tested periodically to ensure recoverability.
  • Recovery objectives: Koji targets a Recovery Point Objective (RPO) of 24 hours and a Recovery Time Objective (RTO) of 4 hours.
  • Automatic scaling: both Vercel and Supabase provide automatic horizontal scaling. The application scales out in response to load without manual intervention, ensuring availability during peak usage periods such as exam seasons.
  • DDoS protection: Vercel's global edge network provides built-in distributed denial-of-service protection. Traffic is filtered at the edge before reaching application servers.
  • Disaster recovery: disaster recovery procedures are documented and tested annually. In the event of a regional outage, traffic can be redirected to a secondary region.

8. Separation control

Measures to ensure that personal data collected for different purposes is processed separately.

  • Multi-tenant isolation: each institution operates in a fully isolated environment. Database schemas, authentication, storage, and application state are separated at the infrastructure level. A security incident affecting one tenant cannot expose data from another.
  • Purpose limitation: personal data is used exclusively for the purposes specified in the Data Processing Agreement. Data collected for course evaluation is not used for any other purpose.
  • Environment separation: development, staging, and production environments are strictly separated. No production data is used in development or testing environments.
  • Role separation: role-based access controls ensure that different user roles can only access data relevant to their function. Students see their own conversations. Instructors see anonymised, aggregated reports for their courses. Programme managers see programme-level summaries. Administrators see operational dashboards.

Review and updates

These technical and organisational measures are reviewed at least annually and updated as necessary to reflect changes in the processing environment, threat landscape, or regulatory requirements. Material changes are communicated to the controller in accordance with the terms of the Data Processing Agreement.

The most recent review was conducted in May 2026.

Contact

For questions about these measures, to request additional technical documentation, or to arrange a security assessment, contact security@koji.so. For DPA and compliance enquiries, contact compliance@koji.so.