Skip to main content

Your Data Stays Yours. Period.

Kodda is built for teams that want private, grounded answers from their own documents without handing that knowledge back to a public model.

Tenant Isolation

Workspace data stays scoped to your own environment.

Private RAG

Your content is used for retrieval at runtime, not model training.

Server Enforcement

Auth, quotas, and widget access are enforced on the server.

Security Controls

How we protect your workspace and your users.

Multi-Tenancy & Data Isolation

Strict logical isolation between all customer data.

Technical Justification

Every database record (Bots, Libraries, Documents, Vectors) is scoped by a unique tenantId. Our Server Actions and API routes use middleware to ensure users can only access data belonging to their own workspace.

Data Privacy (Zero-Training RAG)

Your data is never used to train public or private models.

Technical Justification

Kodda uses the RAG (Retrieval-Augmented Generation) pattern. We provide context to the LLM at inference time but never submit customer data for fine-tuning. Your knowledge remains yours.

Encryption at Rest & In Transit

End-to-end encryption for all data handling.

Technical Justification

All traffic is forced over TLS 1.3. Data at rest is encrypted using AES-256 volume encryption. Backups and vector stores are similarly protected.

Audit Logging & Traceability

Full visibility into sensitive workspace actions.

Technical Justification

Kodda implements a dedicated audit log system that records creation, deletion, and configuration changes. This allows for post-incident investigation and compliance reporting.

Triple-Layer Rate Limiting

Protection against DDoS and brute-force attacks.

Technical Justification

We apply rate limiting at three levels: Client IP, User Session, and Tenant Quota. This ensures service availability and prevents automated abuse of your bot endpoints.

API Security & Auth

Secure authentication using NextAuth and Scoped Keys.

Technical Justification

All dashboard access is protected by NextAuth v5 (Auth.js) with session hardening. API access uses cryptographically hashed keys with automatic last-used tracking.

Server-Side Enforcement

Unlike many AI platforms that rely on client-side logic (which can be bypassed), Kodda enforces every security policy and plan limit at the API level.

Atomic quota increments prevent plan overages
Storage byte-verification before upload begins
Strict CORS validation for every widget request
X-Frame-Options: DENY enforced for unpaid accounts
// Security Middleware Example
async function validateAccess(req) {
  const session = await auth();
  const { tenantId } = await req.json();

  if (session.user.tenantId !== tenantId) {
    throw new Error("UNAUTHORIZED");
  }

  const quota = await getUsage(tenantId);
  if (quota.chats >= plan.limit) {
    return NextResponse.json(
      { error: "QUOTA_EXCEEDED" }, 
      { status: 429 }
    );
  }
}

Our Privacy Promise

We never sell your data and we do not use your knowledge base to train public models. Your workspace content stays scoped to retrieval and response generation.

Privacy PolicyTerms of Service

Need a Security Review?

Our security team is happy to answer your technical questions.

Contact Security Team