Trust and security at KoraSafe.

Security is foundational, not bolted on. Every layer of KoraSafe enforces strict tenant isolation, maps to regulatory obligations, and runs defense in depth.

Current status KoraSafe platform: Operational

Status page states include Operational, Degraded, and Incident for customer-facing updates.

View status page
Data isolation

Multi-tenant data isolation

Every organization's data is cryptographically separated at the database level. There is no shared state between tenants.

Row-level security (RLS)

Per-tenant row isolation enforces that every query is scoped to the authenticated organization. No query can cross tenant boundaries, even in the event of application-layer bugs.

Organization-scoped data

All tables carry an org_id foreign key. API tokens, session tokens, and service accounts are bound to a single organization. Cross-org access is architecturally impossible.

Authentication

Enterprise authentication

Flexible, standards-based authentication that meets the requirements of regulated enterprises.

Single sign-on (SSO)

SAML 2.0 and OpenID Connect support for enterprise identity providers. Enforce SSO-only access per organization.

Multi-factor authentication

TOTP-based MFA available for all accounts. Organizations can mandate MFA for every member. Backup codes provided for account recovery.

Role-based access control

Fine-grained RBAC with predefined roles (Owner, Admin, Analyst, Viewer) and custom role support. Permissions are enforced at the API layer and in the UI.

Session management

Configurable session expiry, automatic idle timeout, and forced re-authentication for sensitive operations. All sessions are logged in the audit trail.

Data protection

Data protection and tenant isolation

Cryptographic protection at rest and in transit, with strict tenant boundaries enforced at every layer of the runtime.

Encryption at rest

All data at rest is encrypted using AES-256. Database volumes, backups, and object storage are encrypted with provider-managed keys.

Encryption in transit

All connections use TLS 1.3. Internal service-to-service communication is encrypted. API endpoints enforce HTTPS with HSTS headers.

Per-organization agent scoping

Each Guardian agent instance is scoped to a single organization. Agent configurations, evaluation results, and monitoring data never leak across tenant boundaries.

Sandboxed execution

Agent evaluations run in isolated execution contexts. No agent can access another organization's data, models, or configuration. Resource limits prevent runaway processes.

Database security audit: clean

The most recent Supabase advisor sweep across the platform's public schema returned zero P0 findings. Every table enables row-level security in the same file it's created. No permissive write-path policies. Functions declare SET search_path = public, pg_catalog, pg_temp. Views run WITH (security_invoker = true). Materialized views are revoked from anon and authenticated roles by default. Scope is the public schema; the korasafe_edge schema RLS retrofit is tracked separately and in progress.

Audit

Immutable audit trails

Every action taken on the platform is recorded in an append-only, tamper-evident audit log.

Append-only logging

Audit records are written to an append-only store. No user, including administrators, can modify or delete audit entries. Logs capture the actor, action, resource, timestamp, and IP address.

Full searchability

Filter audit logs by user, action type, resource, date range, or IP. Export logs in JSON or CSV for integration with your SIEM.

Configurable retention windows

Each organization sets its own retention windows for findings, audit logs, and evidence packets, bounded between thirty days and ten years. Defaults: three years for findings, seven years for evidence packets, per-org default for audit logs. Configurable from the admin data-retention surface.

Compliance and AI

Compliance and responsible AI

We meet the compliance expectations of regulated enterprises and apply the same governance to our own AI agents.

SOC 2 controls mapped

Our security controls are mapped to the SOC 2 Trust Services Criteria. Type I assessment is in progress; Type II follows after Type I completion.

GDPR-aligned

Data subject access request workflows, right-to-erasure support, and consent management are built into the platform. Consent is one of six lawful bases under Art. 6; the full lawful-basis register is in Preview. EU data residency on the roadmap.

HIPAA Business Associate Agreement

KoraSafe is preparing a BAA framework for covered entities and their business associates. PHI minimum-necessary detection grounded in §164.502(b) and HIPAA-aligned governance evidence packages ship today. BAA execution is targeted alongside SOC 2 Type I completion. Email Contact-us@korasafe.ai to discuss your covered-entity needs.

Auditor evidence portal

External auditors review evidence under a time-boxed magic-link invitation. JWS-signed evidence packets, eight-hour session tokens, ninety-day access window. Multi-customer engagements run under a single auditor-firm grant, with cross-tenant RLS enforced per engagement. Auditor-firm SSO is coming soon.

EU AI Act framework support

KoraSafe maps your AI systems to EU AI Act obligations and surfaces the gaps you need to close.

Vendor security reviews

We provide completed SIG Lite questionnaires, penetration test summaries, and architecture documentation to support your vendor due diligence process.

Self-governing agents

KoraSafe's Guardian agents (PII Sentinel, Prompt Injection, Content Safety, Hallucination, Fairness, Behavioral Drift) are registered in our own AI Registry and monitored continuously.

Per-tenant agent telemetry

Customers inspect how the Guardian agents behave on their own data through the governance index, agent telemetry, and audit chain surfaces. Cross-tenant transparency reporting is on the roadmap.

Incident response

Incident response process

A documented, tested incident response plan ensures rapid detection, containment, and communication.

Detection & triage

Automated alerting on anomalous access patterns, failed authentication spikes, and data exfiltration signals. On-call engineers are paged on confirmed alerts.

Communication & resolution

KoraSafe commits to notifying affected customers of incidents on its own infrastructure within 72 hours per GDPR Article 33, and sooner for critical incidents. Post-incident reviews are published with root cause analysis and remediation steps. Customer-side breach detection and notification workflows are in Preview.

Operational security

Runtime protection and operational controls

Beyond infrastructure security, KoraSafe enforces runtime protections that keep the platform reliable and abuse-resistant.

Rate limiting

Every API endpoint is rate-limited per key and per IP. Standard headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset) are returned on every response. Burst-friendly defaults with configurable overrides for enterprise customers.

Severity-based alert routing

Critical findings route to Slack DM and email. High-severity alerts route to team channels. Medium and low findings stay in-platform. Configurable per organization and per alert category.

SLA compliance tracking

Every alert tracks first_detected_at, acknowledged_at, and resolved_at. Dedicated SLA compliance endpoint reports breach rates per severity tier. Critical alert banner persists at the top of the platform until resolved.

Security headers

All responses include X-Content-Type-Options (nosniff), X-Frame-Options (DENY), Strict-Transport-Security (HSTS), Content-Security-Policy, and Referrer-Policy. Error responses never leak stack traces, file paths, or database internals.

Compliance posture

Status, target, evidence. No aspirational claims.

Every certification and control on the roadmap ships with a status, a target date, and the evidence an auditor can verify. If we do not have it yet, we say so.

ItemStatusTargetEvidence
SOC 2 Type IIn progressReadinessMapped
SOC 2 Type IIPlannedAfter Type INot yet
ISO 27001PlannedAfter SOC 2 IINot yet
ISO 42001 for AIIn progressControlsCatalog
SCIM provisioningPlannedAfter Type INot yet
WebAuthn for adminsPlannedAfter SCIMTOTP live today
Responsible disclosure

Find a weakness, tell us first

We run a safe-harbor program for good-faith security research. If you find a vulnerability, reach out before you publish and we will work it with you.

Disclosure channel

How to reach us.

  • Email Contact-us@korasafe.ai with "security" in the subject line.
  • We acknowledge within one business day.
  • Safe harbor for good-faith research.
  • PGP key published on the trust portal.

What we will share

Security package, under NDA where applicable.

  • SIG Lite questionnaire.
  • Data processing addendum.
  • Subprocessor list.
  • Data-flow diagrams.
  • Penetration-test summary.
  • Incident response runbook.