Your claim is sensitive.
We treat it that way.
To fight your claim, Koala handles some of your most personal information: your policy, your address, your denial letter, sometimes your losses in detail. This page is the full account of how that data is protected, where it travels, and (just as honestly) what we haven't built yet.
Security posture at a glance
PII-scrubbed logging
Every log line redacted before it's written
Encrypted in transit & at rest
TLS on the wire, managed Postgres at rest
Payment data tokenized
Card details stay with Stripe, never our servers
Data minimization by default
The browser only ever gets a stripped projection
Independent and early-stage. Everything here is live in the product today. No badges we haven't earned.
Your personal details never reach a log in the clear.
Logs are where sensitive data usually leaks: an error message quietly prints an email or a policy number, and now it's sitting in a console somewhere. Koala is built so that can't happen, with two layers working together.
First, by design.Raw claim content and your email address are simply never passed into a log message. When something fails, the code records a claim ID and a typed error, never the contents of your claim. That's the primary guarantee.
Then, as a safety net. Every line the app logs is forced through a single sink that deterministically redacts structured PII: emails, US Social Security numbers, street addresses, ZIP codes, phone numbers, and policy or claim numbers (both numeric and alphanumeric, like POL-4432).
We're honest about the edge: free-form names can't be pattern-matched without wrongly redacting ordinary words, so names are protected by the “never log claim content” rule above, not by the redactor. The scrubber is the backstop, not the only thing standing between your data and a log file.
Redaction, before & after
What a naive log might write
claim POL-4432 for jane.doe@acme.com
at 42 Oak Street failed. Call
back on 555-238-9910What Koala actually writes
claim [id] for [email]
at [address] failed. Call
back on [number]The redaction is deterministic rather than probabilistic. The same input always redacts the same way, so there's no model in the loop deciding whether your address counts as private.
The controls around your data.
These aren't promises for later. They're enforced in the code that runs your claim today.
Data minimization
The browser never receives your full claim record. Every response is a stripped-down projection: payment identifiers and internal fields are removed server-side before anything leaves the API.
Payment isolation
Card details go straight to Stripe and never touch Koala's servers. We store a payment reference to confirm your order, not a card number, expiry, or CVC.
Access control
A claim ID is an unguessable UUID, and reading a claim additionally requires a signed capability token (HMAC-SHA256) handed to its owner. The operator dashboard sits behind its own gate, verified in constant time.
Validated boundaries
Every response from an AI model is sanitized and re-shaped against a strict schema before it's stored or shown, so a malformed or unexpected output can't slip through into your report.
Rate limiting
Per-IP limits on analysis and chat throttle scraping and abuse, so no single caller can hammer the pipeline or run up cost against another user's claim.
Encryption everywhere
Traffic is served over HTTPS/TLS end to end. Claim records live in managed Postgres (Supabase), encrypted at rest, with row-level security revoking direct access. Secrets are read from the environment, never committed to the repo.
The vendors a claim passes through.
Koala isn't a black box. To read, research, and deliver your claim, its data travels through a short list of infrastructure providers, and each one only ever sees the slice it needs.
Provider
What it handles
- Supabase
Stores your claim record in managed Postgres, encrypted at rest.
- Stripe
Processes your payment. Sees your card data so we don't have to.
- Google (Gemini)
The AI models that read your documents and draft your demand: they process claim text to do the analysis.
- Exa
Runs the neural web searches for comparable settlements and rulings.
- Resend
Delivers your finished report and demand letter by email, if you give us an address.
- Upstash
Holds rate-limit counters keyed by IP address (no claim content).
We don't sell your claim data or use it to train our own models; the flat fee is the business model. For the full legal detail on data use, see our Privacy Policy.
We won't advertise a certificate we don't hold.
Plenty of early products decorate a security page with compliance logos they haven't actually earned. We think that's worse than saying nothing: it's a claim you can't back up when it matters.
So, plainly: Koala is early-stage and does nothold SOC 2, HIPAA, ISO 27001, or any formal security certification today, and we haven't completed an independent penetration test. When we earn any of these, they'll appear here with real dates and reports behind them, and not one day before.
On the roadmap: not done yet
A commitment, not a credential.
- SOC 2 Type II reportPlanned
- HIPAA / ISO 27001 attestationPlanned
- Independent third-party penetration testPlanned
- Formal data-retention & deletion controlsPlanned
- A public bug-bounty programPlanned
Found something? Tell us.
We don't have a formal bug-bounty program yet, but we take security reports seriously and we'd genuinely rather hear from you. If you've found a vulnerability or a way your data could be exposed, email us and we'll work with you to confirm and fix it.