Koo
Trust

Security at Koo

Last updated: 2026-05-19

Koo is the system of record for your website, your content and your leads. We take that responsibility seriously. This page summarises the controls we have in place. For a technical detail, vendor list or questionnaire, email security@koo.co.

Infrastructure

  • Hosted on Cloudflare's global edge network and a managed Postgres provider audited to SOC 2 Type II.
  • All traffic served over HTTPS with TLS 1.2+ and HSTS enabled.
  • Free, auto-renewing SSL certificates for every custom domain.
  • Web Application Firewall, DDoS protection and bot management at the edge.

Data protection

  • Data encrypted in transit (TLS) and at rest (AES-256).
  • Daily encrypted database backups with 30-day retention.
  • Logical separation of customer data with row-level security policies in the database.
  • Secrets stored in a managed vault, never in source code.

Authentication and access

  • Passwords hashed with bcrypt. We never store plaintext passwords.
  • Optional two-factor authentication on every account.
  • Sign in with Google, with the option to disable password sign-in.
  • Internal access to production systems is limited to a short list of engineers, gated by SSO and audited.

Application security

  • Dependencies scanned daily for known vulnerabilities.
  • Automated tests run on every change before deploy.
  • Server-side validation on every user input; output encoded by default.
  • CSRF protection on all state-changing requests; bot protection (Turnstile) on public forms.

Incident response

Engineers are paged 24/7 for production incidents. If we discover a security incident affecting your data, we'll notify you without undue delay (and in any case within 72 hours when required by law) with what happened, what data was affected and what we're doing about it.

Responsible disclosure

If you believe you've found a security issue, please email security@koo.co with the details. We'll acknowledge within two business days and work with you on a fix. We don't currently run a paid bounty programme, but we publicly credit researchers who disclose responsibly.

Sub-processors

A current list of our sub-processors (Cloudflare, Supabase, Stripe, Resend, Postmark, OpenAI, Anthropic, Google) is available on request. Each is bound by a data-processing agreement.

Compliance

Koo is built to support GDPR and UK GDPR obligations and offers a Data Processing Agreement on request. We are working towards SOC 2 Type II. For specific compliance questions, contact security@koo.co.