Last updated: 23 May 2026

Security Overview

This page describes how Korrali protects customer data and operates the service. We aim for honesty over claims — what we actually do, not what sounds good. Korrali is in early access; some controls below are baseline, and others mature as the company grows.

What we are not: Korrali is not SOC 2 certified, ISO 27001 certified, or HIPAA-attested. We do not claim to be. Customers requiring a formal attestation should treat Korrali as a Phase-1 vendor and request equivalent evidence (this page + Subprocessors + a signed questionnaire response). Formal certifications are on the roadmap as the business reaches scale that justifies the audit cost.

Encryption

In transit: TLS 1.2 or higher (Let's Encrypt certificates) on all customer-facing endpoints. HSTS enabled with a one-year max-age.
At rest: AES-256 encryption for the PostgreSQL database, application logs, and any object storage. Disk-level encryption via AWS EBS.
Backups: encrypted, retained for 30 days, stored within the same AWS region as the primary database.

Infrastructure

Hosted on Amazon Web Services (us-east-1 region).
PostgreSQL 16 (managed on dedicated instance, not multi-tenant SaaS DB).
Network access to the database is restricted to localhost / VPC private addressing — no public Postgres endpoint.
nginx reverse proxy with security headers (HSTS, X-Frame-Options, Content-Type-Options, Referrer-Policy).

Access control

Two authentication methods: Google OAuth and email magic-link (no passwords stored).
Database-backed sessions with secure, http-only cookies.
Founder administrative access protected by two-factor authentication on every external service (Google, AWS, Paddle, GitHub, Linear, Resend).
SSH access to production servers is restricted to a single key, stored only on operator devices, not in cloud secrets.

Application security

All customer data is org-scoped at the database level. A user can only access organizations they are a member of.
Code is reviewed before deploy; every push to main triggers automated build + type-checks before reaching UAT.
Production deploys are gated behind manual confirmation.
No customer secrets are committed to source control; environment files are stored only on the production server.

AI processing

When you generate answers, content is sent to a third-party large language model provider (Anthropic primary, OpenAI fallback). Both providers contractually agree not to train on customer data submitted via their API. See AI Usage Disclosure for details.

Vulnerability and incident response

Dependencies are monitored for known CVEs; high-severity issues are patched within 7 days.
Suspected security issues should be reported to security@korrali.com. We aim to acknowledge within 24 hours.
If a security incident affects your data, we will notify you without undue delay (target: within 72 hours of confirmation).

Data location and residency

All customer data is stored in the United States (AWS us-east-1). We do not offer EU or other regional data residency at this stage. EU customers should review our Privacy Policy for cross-border transfer considerations.

Roadmap

Security investments we are planning as we scale: SOC 2 Type I (year 2), penetration testing program (year 2), expanded logging and SIEM integration (year 2), customer-managed encryption keys for Enterprise tier (year 3).

Contact

Security questions or disclosures: security@korrali.com.