kord logokord

Security

Last updated: April 11, 2026

Kord is built for engineering teams who work with sensitive design files, proprietary specifications, and controlled documents. Security is foundational to our architecture, not an afterthought. This page describes the technical and organizational measures we use to protect your data.

1. Infrastructure & Hosting

Kord is deployed on Vercel, which maintains SOC 2 Type II attestation for Security, Confidentiality, and Availability, as well as ISO 27001 certification and PCI DSS compliance. Vercel's SOC 2 Type II report is available upon request.

  • All application traffic is served over TLS 1.2+ with HTTPS enforced at the edge — HTTP requests are automatically redirected
  • Hosting infrastructure runs on AWS with data residency in the United States
  • Edge network provides automatic DDoS mitigation and rate limiting
  • Serverless architecture eliminates persistent server state, reducing the attack surface

2. Data Encryption

In Transit

All data transmitted between clients and Kord is encrypted using TLS 1.2 or higher. Internal service-to-service communication (application to database, application to storage) is also encrypted in transit.

At Rest

All data at rest — including the PostgreSQL database, file storage, and backups — is encrypted using AES-256 encryption. Encryption keys are managed by the infrastructure provider and rotated automatically.

OAuth Token Storage

OAuth refresh tokens for cloud storage integrations (Google Drive, OneDrive, SharePoint, Egnyte) are stored encrypted in the database. Tokens can be revoked by the user at any time from the Settings page, which immediately deletes the stored token.

3. Authentication & Identity

Kord supports federated OAuth 2.0 authentication (Google and Microsoft) and magic link email-based authentication.

  • No passwords are stored — OAuth authentication is delegated to the identity provider, inheriting their security controls including MFA. Magic link authentication uses short-lived, single-use tokens delivered via email
  • Sessions are managed via signed, HttpOnly, Secure cookies with SameSite=Lax to prevent CSRF attacks
  • Session tokens are cryptographically signed JWTs validated on every request
  • Users who authenticate via Microsoft benefit from their workspace's existing Conditional Access policies — Kord delegates sign-in to Microsoft's identity platform, so policies like MFA, managed devices, and IP restrictions are enforced during authentication

4. Access Controls

Role-Based Access Control (RBAC)

Kord implements a two-tier role model. At the workspace level, members are assigned Owner, Admin, or Member roles. At the repository level, users are assigned one of three roles, each inheriting the permissions of the roles below it:

  • Viewer — read-only access to files and review sessions
  • Contributor — can upload files and create review sessions
  • Admin — full management including member invitations, repository settings, and review session approvals

Review session reviews are handled via explicit reviewer assignment — reviewers are designated per review session, ensuring only authorized individuals can approve changes.

Row-Level Security (RLS)

Every database table is protected by PostgreSQL Row-Level Security policies. RLS is enforced at the database layer, meaning access control cannot be bypassed by application-level bugs. Users can only query rows they are explicitly authorized to access based on their workspace membership and repository role.

5. File Storage & Access

  • Uploaded files are stored in dedicated, isolated cloud storage buckets with AES-256 encryption at rest
  • File access is controlled via short-lived, signed URLs that are generated per-request after authorization checks — files are never served from publicly accessible URLs
  • Storage paths are structured per owner and file version, preventing path traversal or unauthorized cross-tenant access
  • When a user deletes files, the data is marked for removal. Storage objects are cleaned up after verifying no other references exist

6. Cloud Storage Integrations

Kord integrates with Google Drive, Microsoft OneDrive, SharePoint, and Egnyte for file synchronization. These integrations are designed with a strict security model:

  • User-controlled sync direction — users can import files from cloud storage into Kord for review and versioning, and optionally push approved files back to cloud storage. All sync actions require explicit user initiation
  • Scoped OAuth permissions — we request only the permissions necessary to access files in linked folders
  • Users must explicitly link specific folders — Kord does not have access to a user's entire cloud storage
  • Token revocation is instant — disconnecting a cloud provider from Settings immediately deletes the stored refresh token

7. Application Security

  • Input validation — all user input is validated and sanitized server-side before processing or storage
  • Parameterized queries — all database queries use parameterized statements, eliminating SQL injection vectors
  • Content Security Policy — HTTP security headers including CSP, X-Frame-Options, and X-Content-Type-Options are enforced on all responses
  • No client-side secrets — API keys and credentials are stored exclusively in server-side environment variables, never exposed to the browser
  • Dependency management — dependencies are managed with a lockfile to ensure reproducible builds and regularly reviewed for known vulnerabilities

8. Data Handling & Retention

  • Customer data is used solely to provide the Service — we do not sell, share, or use customer data for advertising or model training
  • Files and metadata are retained as long as the account is active
  • Users can delete individual files, versions, folders, and repositories at any time
  • Full account deletion is available upon request, which removes all associated data including files, metadata, and access tokens
  • Database backups are encrypted and retained for disaster recovery purposes, subject to the same access controls as production data

9. Compliance & Certifications

StandardStatusScope
SOC 2 Type IIAttestedHosting infrastructure (Vercel)
ISO 27001CertifiedHosting infrastructure (Vercel)
PCI DSSCompliantHosting infrastructure (Vercel)
SOC 2 Type IIPlannedKord application layer

Infrastructure compliance reports (SOC 2 Type II, ISO 27001) are available upon request. Contact us to receive copies for your security review.

10. Responsible Disclosure

If you discover a security vulnerability, please report it to security@pipedreamer.ai. We take all reports seriously and ask that you give us reasonable time to address the issue before public disclosure.

11. Questions

For security questionnaires, compliance documentation requests, or any security-related inquiries, contact us at security@pipedreamer.ai.

Privacy PolicyTerms of Service