Koan operates within relevant local laws and regulations, including the European Union’s General Data Protection Regulation (GDPR).
Koan complies with the AICPA’s Service Organization Controls (SOC2) Trust Services Principles
- Single Sign-On
Koan integrates with providers like Okta, Google, Office 365, and Onelogin to enable Single Sign-On (SSO) to the Koan platform.
The features and data within Koan organizations are protected by customizable role-based access control (RBAC).
- Passwords and credentials
Passwords and credentials are stored using an industry-standard hash function (bcrypt).
- Payments and PCI compliance
All payments made to Koan are processed by our partner, Stripe. Learn more about their security practices and PCI compliance on their security page.
- Encryption in transit
Access to the Koan platform is secured using 256 bit encryption and a strong cipher suite (TLS >= v1.2). We require Strict Transport Security (HSTS) for all communication between our applications and APIs.
- Private cloud
Koan’s services run inside a Virtual Private Cloud (VPC) configured to prevent unauthorized access to internal networks. We’ve also deployed intrusion detection (IDS) and OS-level monitoring tools to guard against access to applications and services.
- Backup and logging
Customer data are backed up nightly and retained for 35 days to ensure data integrity in the event of primary data loss. Application, network, and user access are logged and retained for at least one year.
- Encryption at rest
Data in Koan are encrypted using AWS Key Management Service (KMS) and a robust cipher suite (AES-GCM). Learn more about KMS on their FAQs page.
- Employee access to data
Employees complete training in data-handling practices, with direct access controlled on a tightly-restricted, “need-to-know” basis.
- Data hosting
All application servers with direct access to customer data are hosted in Amazon Web Services facilities in us-west-2 (Oregon, USA). Learn more about their data-center security on their controls page.
A full SOC2 report is available on request to Koan Enterprise customers
A summary of our latest penetration test is available on request to Koan Enterprise customers
Current and historic incidents affecting Koan’s availability are available on our status page.
Have a question about security, privacy, or trust that this page didn’t answer? Send us an email at firstname.lastname@example.org.