Skip to main content

Overview

Kadoa is built with best-in-class security practices to keep your data safe and secure at every layer. This includes state-of-the-art encryption, safe and reliable infrastructure partners, and independently verified security controls. Request our Data Processing Agreement (DPA) for specific details.

Shared responsibility

Under our shared responsibility model, Kadoa secures the components that we control, including the application layer, underlying platform, and cloud infrastructure. This includes protecting against threats targeting these components through security controls, monitoring, and incident response. Customers are responsible for how they use Kadoa. This includes configuring workspace security and access, determining what data they extract, managing API keys and integrations, and monitoring their audit log.

Governance

Kadoa establishes policies and controls, monitors compliance with those controls, and proves the security and compliance to third-party auditors. Our policies are based on the following foundational principles:

Least Priviledge

Access should be limited to only those with a legitimate business needs, based on the principle of least privilege.

Consistency

Security controls should be applied consistently across all areas of the enterprise.

Defense in Depth

Security controls should be implemented and layered according to the principle of defense-in-depth.

Continuous Improvement

The implementation of controls should be iterative, continuously improving effectiveness and decreasing friction.

Data Protection

Data at rest

All data stores are encrypted at rest.

Data in transit

Kadoa uses TLS 1.3 or higher everywhere data is transmitted over networks.

Data backup

Kadoa backs-up all production data using a point-in-time approach. Backups are persisted for 30 days, and are globally replicated for resiliency against regional disasters.

Data Isolation

Kadoa implements strict data isolation to ensure complete privacy between teams and customers:
  • Complete Team Separation: Each team’s data is fully isolated. No data is ever shared or accessible between teams
  • API Scope Enforcement: API keys are strictly scoped to individual teams and cannot access data from other teams
  • Isolated Processing: Workflow executions happen in isolated environments with team-level boundaries
  • Database-Level Security: Row-level security policies and team identifiers ensure data separation at the storage layer

Data Regions

When starting on ouer Enterprise Plan, you have the option to select the region where you want your data to be stored. The available options are:
  • United States
  • European Union

Certifications

Kadoa is currently undergoing SOC 2 Type II and ISO27001 certifications, expected to be completed in Q4 2025. These certifications will provide independent third-party validation of our security controls, data handling practices, and operational procedures. Contact security@kadoa.com for our current security policies and attestations.

Product Security

Penetration testing

Kadoa engages with third-party firms to conduct penetration testing at least annually. All areas of the Kadoa product and cloud infrastructure are in-scope for these assessments, and source code is fully available to the testers in order to maximize the effectiveness and coverage.

Vulnerability scanning

Kadoa uses multiple vulnerability monitoring techniques including code-level scanning, dependency scanning, and security reviews to identify and remediate vulnerabilities. Vulnerabilities are prioritized based on severity and risk, and are remediated according to a schedule.

Responsible Disclosure

To report a vulnerability, please reach out to security@kadoa.com