Data Residency & Security at Koalr
Where your data lives, how it's protected, and what we never access.
What we store and where
| Data Category | What we store | Region | Retention |
|---|---|---|---|
| GitHub PR metadata | Titles, numbers, authors, timestamps, file names (NOT code content) | US (Railway PostgreSQL) | 2 years |
| Jira issue metadata | Issue keys, titles, assignees, status, cycle times (NOT descriptions) | US | 2 years |
| Deployment events | Deploy timestamps, service names, outcomes (NOT deployment scripts) | US | 2 years |
| Risk model inputs | Computed signal values (NOT source code) | US | 1 year |
| AI chat messages | Your chat queries + AI responses (context includes metric summaries, NOT code) | US | 90 days |
| Authentication | Managed entirely by Clerk — Koalr does not store passwords or session tokens | US (Clerk) | Clerk retention policy |
What we NEVER access
Source code content
We analyze file paths and change entropy, not file contents.
Credentials, secrets, or API keys in repositories
We never read file contents, only file paths and diff statistics.
Jira ticket descriptions or comment content
We sync issue keys, titles, assignees, and status transitions only.
PagerDuty runbook content
We use incident timestamps and service associations — not runbook text.
Infrastructure providers
Railway
NestJS API, PostgreSQL, Redis — US-based infrastructure
Vercel
Next.js marketing site and app — global edge with US data origin
Clerk
JWT issuance, multi-tenant orgs, SAML SSO — Koalr never touches passwords
PostgreSQL on Railway
AES-256 encryption at rest, automated daily backups, point-in-time recovery
Railway-managed
API response cache only — no PII persisted in Redis
EU Data Residency
Currently US-only hosting. EU regional deployment on Railway is planned for 2026 Q3. Enterprise customers requiring EU residency today: contact us — we can expedite.
SOC 2 Type II
SOC 2 Type II audit initiated. Report expected Q3 2026. We will share the report under NDA with any customer in procurement review.
GDPR
Standard DPA available upon request. Koalr acts as data processor; your organization is the data controller. See our DPA page for the full agreement.
Questions about your specific compliance requirements?
Security reviews, custom DPAs, and pen test reports available under NDA.
Email security@koalr.com