Enterprise-grade security is not an afterthought. It is foundational to everything we build. Every layer of KoraSafe is designed for strict tenant isolation, regulatory compliance, and defence in depth.
Every organization's data is cryptographically separated at the database level. There is no shared state between tenants.
PostgreSQL RLS policies enforce that every query is scoped to the authenticated organization. No query can cross tenant boundaries, even in the event of application-layer bugs.
All tables carry an org_id foreign key. API tokens, session tokens, and service accounts are bound to a single organization. Cross-org access is architecturally impossible.
Flexible, standards-based authentication that meets the requirements of regulated enterprises.
SAML 2.0 and OpenID Connect support for enterprise identity providers including Okta, Azure AD, Google Workspace, and OneLogin. Enforce SSO-only access per organization.
TOTP-based MFA available for all accounts. Organizations can mandate MFA for every member. Backup codes provided for account recovery.
Fine-grained RBAC with predefined roles (Owner, Admin, Analyst, Viewer) and custom role support. Permissions are enforced at the API layer and in the UI.
Configurable session expiry, automatic idle timeout, and forced re-authentication for sensitive operations. All sessions are logged in the audit trail.
Data is encrypted at every stage of its lifecycle, whether at rest in our databases or in transit between services.
All data at rest is encrypted using AES-256. Database volumes, backups, and object storage are encrypted with provider-managed keys. We support customer-managed encryption keys (CMEK) for enterprise plans.
All connections use TLS 1.3. Internal service-to-service communication is encrypted. API endpoints enforce HTTPS with HSTS headers and certificate pinning for mobile clients.
Every action taken on the platform is recorded in an append-only, tamper-evident audit log.
Audit records are written to an append-only store. No user, including administrators, can modify or delete audit entries. Logs capture the actor, action, resource, timestamp, and IP address.
Filter audit logs by user, action type, resource, date range, or IP. Export logs in JSON or CSV for integration with your SIEM. Retention policies configurable per organization.
Guardian agents and customer-registered AI agents operate within strict organizational boundaries.
Each Guardian agent instance is scoped to a single organization. Agent configurations, evaluation results, and monitoring data never leak across tenant boundaries.
Agent evaluations run in isolated execution contexts. No agent can access another organization's data, models, or configuration. Resource limits prevent runaway processes.
KoraSafe is built to meet the security and compliance expectations of regulated enterprises.
Our security controls are aligned with the SOC 2 Trust Services Criteria. We maintain continuous monitoring against the Security, Availability, and Confidentiality principles.
Data processing agreements, data subject access request workflows, right-to-erasure support, and lawful basis documentation are built into the platform. EU data residency available.
KoraSafe helps customers comply with the EU AI Act and uses the same framework internally. Risk classification, documentation, and human oversight requirements are met by design.
We provide completed SIG Lite questionnaires, penetration test summaries, and architecture documentation to support your vendor due diligence process.
We use our own governance platform to monitor our own AI agents. The guardians guard themselves.
KoraSafe's Guardian agents (PII Sentinel, Bias Auditor, Hallucination Detector, Cost Watchdog, Drift Monitor, Compliance Checker) are registered in our own AI Registry and monitored continuously.
We publish internal governance metrics including agent accuracy rates, false positive rates, and intervention counts. Our customers can inspect how our agents behave on their data.
A documented, tested incident response plan ensures rapid detection, containment, and communication.
Automated alerting on anomalous access patterns, failed authentication spikes, and data exfiltration signals. On-call engineers are paged within 5 minutes of a confirmed alert.
Affected customers are notified within 72 hours per GDPR requirements, and sooner for critical incidents. Post-incident reviews are published with root cause analysis and remediation steps.