Korala.aiBack to Home

Security

How we protect your documents and data

Our Commitment

At Korala, security is fundamental to everything we build. We handle sensitive business documents and understand the trust you place in us. This page outlines the security measures we have in place to protect your data.

Data Encryption

In Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all connections and use modern cipher suites.

At Rest

Documents and sensitive data stored in our systems are encrypted at rest. Database backups are also encrypted to ensure your data remains protected.

Infrastructure Security

Our infrastructure is hosted on secure cloud providers with robust physical and network security controls. We implement:

  • Network isolation and firewalls
  • Regular security patches and updates
  • Intrusion detection and monitoring
  • Automated backups with encryption

Authentication & Access Control

We use multiple layers of authentication to protect your account and data:

  • Web Application: Secure JWT-based authentication with refresh tokens
  • API Access: HMAC signature authentication for API requests, ensuring request integrity and authenticity
  • Signer Access: Unique, time-limited tokens for document signers
  • Role-Based Access: Organization-level permissions (owner, admin, member)

Document Security

Every document processed through Korala benefits from:

  • Complete Audit Trail: Every action on a document is logged with timestamps, IP addresses, and user identification
  • Cryptographic Signatures: Documents are signed using X.509 digital certificates
  • RFC 3161 Timestamps: Trusted timestamps from DigiCert's Time Stamp Authority provide non-repudiation and long-term validity
  • Certificate of Completion: A detailed record of all signatures and timestamps is attached to completed documents

Cryptographic Standards

RFC 3161

Internet X.509 PKI Time-Stamp Protocol. Provides trusted timestamps for document signing.

X.509 Certificates

Standard format for public key certificates used in digital signatures.

Webhooks Security

All webhook deliveries are signed using HMAC-SHA256, allowing you to verify that webhook payloads genuinely originate from Korala and haven't been tampered with.

Responsible Disclosure

We value the security research community. If you discover a security vulnerability, please report it responsibly by contacting us at hello@korala.ai. We commit to investigating and addressing valid reports promptly.

Contact Us

For security-related questions or concerns, contact us at:

Korala LLC
Email: hello@korala.ai