KolayLogin
DocsPricing
Compliance

SOC 2

Where we are on SOC 2 Type II, what controls already cover us, and how to request reports.

Status

KolayLogin runs the engineering controls expected of a SOC 2 Type II program: change management, access reviews, encryption at rest, audit logging, vulnerability scanning, and incident response. The formal Type II audit window is in progress; we'll publish the report once it's complete.

Existing security controls

  • Per-app RSA keypairs with envelope encryption (AES-GCM, key-wrap key in env).
  • HttpOnly + Secure + SameSite cookies; 60-second JWT sessions.
  • Stripe webhook idempotency + signed delivery for end-user webhooks.
  • Rate-limited auth endpoints (Redis sliding window).
  • Audit logs retained per plan (Pro+: 90 days, Business+: 1 year).
  • Daily Postgres backups with off-site retention.

Requesting reports

Customers on Business and Enterprise plans can request the latest audit letter, penetration test summary, and SIG-Lite by emailing security@kolaylogin.com from the workspace owner's address. Reports are shared under NDA.

Other certifications

ISO 27001 and HIPAA-readiness work is on the 2026 H2 roadmap. Reach out if you have a specific certification timeline driven by your own compliance program.

This page is a status overview — for specific questions email security@kolaylogin.com.