Security you can take
to your security team.
Enterprise-grade security is table stakes, not a selling point. Here's exactly how Koalr handles your data, who can access it, and what we're working toward on compliance.
Infrastructure overview
Hosted on Vercel + Railway
US-based cloud infrastructure. Both Vercel and Railway are SOC 2 Type II certified. No data leaves US-based data centers.
PostgreSQL + Redis
All data encrypted at rest using AES-256. Daily automated backups with point-in-time recovery. Isolated per-tenant database schemas.
Anthropic AI
Your data is never used to train Anthropic's models. Per Anthropic's API terms, data sent via the API is not retained for model training purposes.
What Koalr accesses
✅ What we read
- ↳Pull request metadata (title, author, timestamps, review status)
- ↳Deployment events (deployments, status, environment)
- ↳Incident and alert data (PagerDuty, OpsGenie, Incident.io)
- ↳Code coverage reports (Codecov, SonarCloud)
- ↳CODEOWNERS file structure
- ↳Commit metadata (hash, author, timestamp, files changed — not content)
🚫 What we never read
- ✕Source code file contents
- ✕Secrets, credentials, or environment variables
- ✕Pull request diffs or code review comments
- ✕Passwords or API tokens from your repositories
- ✕Private repository contents beyond commit metadata
Authentication
Identity management via Clerk
Clerk is SOC 2 Type II certified. SAML SSO (and OIDC) is available on the Business plan for organizations that require centralized identity providers.
JWT-based API authentication
Every API request is authenticated using short-lived Clerk JWTs. Tokens are verified server-side on every request. There are no long-lived API keys exposed to clients.
Organization-level data isolation
Each organization's data is completely isolated. A user from Org A cannot access data from Org B under any circumstance — enforced at the API layer on every request via tenant isolation middleware.
Compliance roadmap
| Standard | Status | Details |
|---|---|---|
| GDPR | ✅ In progress | DPA available on request. Subprocessors listed at /legal/subprocessors. |
| SOC 2 Type II | 🗓️ Planned | Evidence collection starting Q2 2026. Report expected Q4 2026. |
| HIPAA | ❌ Not applicable | Not applicable — Koalr processes no health data. |
| PCI DSS | ❌ Not applicable | Not applicable — Koalr processes no payment card data. |
| Data Privacy Framework (DPF) | ✅ In progress | Self-certification in progress. |
Subprocessors
Full list available at /legal/subprocessors. We will notify customers of any new subprocessors 30 days in advance.
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel | Web application hosting | USA |
| Railway | API and worker hosting | USA |
| Clerk | Authentication and identity management | USA |
| Anthropic | AI language model (Claude) | USA |
| GitHub | OAuth and source control integration | USA |
| Atlassian (Jira) | Project management integration | USA |
| ClickHouse Cloud | Historical metrics analytics | USA |
Security questions?
Reach our security team directly at security@koalr.com.
We appreciate responsible disclosure. Please email us before publishing any vulnerabilities so we have the opportunity to investigate and remediate.