Skip to main content

SECURITY

Enterprise-grade security
From day one.

ISO 27001:2022 certified. Your data is never used to train AI models without explicit written consent. What goes in, stays yours.

CERTIFICATION

ISO 27001:2022 certified

ISO 27001:2022 is the international standard for information security management. It is the certification enterprise procurement and Series D security reviews look for first. Kojo is certified from founding — not as a milestone, but as a requirement.

WHAT CERTIFICATION MEANS

Annual third-party audit of our information security management system
Documented risk assessment and treatment processes
Access control, encryption, and incident response at standard
Continuous monitoring and improvement obligations

Scope: Kojo's platform operations, client data processing, and the EZ Works delivery infrastructure powering the expert layer.

Recertification: Annual. Certification status is current and confirmed by the issuing body.

DATA HANDLING

Five principles that govern how we handle your data

01

Your data is never used to train AI models.

Your briefs, deliverables, and brand context are not used to train, fine-tune, or improve AI models — by Kojo, our AI providers, or any third party — without your explicit written consent. This is contractual and audited.

02

All content is encrypted at rest and in transit.

Brief inputs, in-progress drafts, and final deliverables are encrypted using AES-256 at rest and TLS 1.3 in transit — from submission to download.

03

Brief data is isolated per client. No cross-contamination.

Your brief content, brand context, and deliverables are stored in an isolated environment. No content from one client's account is accessible to another client's processing session.

04

Expert access is need-to-know only, logged, and audited.

Assigned experts access only what they need to complete your brief. All access events are logged with timestamp and expert identifier. Logs are retained for 12 months and available on request for enterprise accounts.

05

Data residency options available for EU and UK clients.

For clients under GDPR or UK GDPR, Kojo offers EU-based data residency. A Data Processing Agreement (DPA) is available on request and is standard for enterprise accounts.

ENTERPRISE CONTROLS

Enterprise workspace controls

For Series C and D accounts engaging Kojo at scale:

Dedicated workspace isolation

Enterprise accounts operate in a logically isolated workspace — separate from standard infrastructure. No shared resources with standard-tier accounts.

Single sign-on (SSO)

SAML 2.0 SSO with your identity provider (Okta, Azure AD, Google Workspace). Employee offboarding revokes Kojo access immediately via your IdP.

Role-based permissions

Four levels: Owner, Admin, Submitter, Viewer. Submitter can brief and review outputs but cannot purchase credits or export data. Viewer has read-only access to completed deliverables.

Audit log access

Full log of all account activity — briefs, approvals, credit purchases, downloads, and team actions. Exported on request or via API.

Custom data retention

Standard retention: 24 months post-delivery. Enterprise accounts configure custom periods to comply with internal data governance policies.

NDA with experts

All experts operate under confidentiality obligations covering brief content and deliverables. Enterprise accounts can request a client-specific NDA with the Kojo entity.

Ready to discuss enterprise requirements?

Talk to the team →

Security questions

Brief content is visible to: (1) the subject matter expert assigned to your brief — need-to-know access, logged and audited; (2) Kojo's quality assurance team if a Delivery Assurance claim is raised; (3) Kojo's senior team if an escalation is required. No other parties have access. AI processing uses brief content in an isolated session; the brief is not retained by the AI model provider beyond the processing window.

Yes. Kojo processes personal data in accordance with GDPR for EU and EEA clients and UK GDPR for UK clients. Personal data contained in briefs is processed under a lawful basis. A Data Processing Agreement (DPA) is available on request and is standard for enterprise accounts.

Yes. A standard DPA is available for all accounts. Contact us to request it — standard accounts receive the DPA within 2 business days; enterprise accounts negotiate a custom DPA as part of the onboarding process.

Standard accounts: EU-based cloud infrastructure (EU West region). UK accounts: UK data residency available on request. US accounts: US-based infrastructure by default. Enterprise accounts can specify data residency during onboarding.

Brief data and deliverables are retained for 30 days after cancellation, during which you can export them. After 30 days, all data is permanently deleted from Kojo's systems. A deletion confirmation is issued on request.

Questions about our security posture?

Our security overview covers certification scope, data handling in detail, and the enterprise controls available for Series C–D accounts.