Security & Trust

Your customers' data is protected.

Koydo Service OS is built on enterprise-grade infrastructure with encryption at every layer, role-based access control, and a 99.9% uptime commitment.

Encryption & Infrastructure

AES-256 at rest. TLS 1.2+ in transit. SOC 2 Type II infrastructure.

AES-256 encryption at rest

All customer data — job records, payment tokens, contact details, and membership data — is encrypted at rest using AES-256. Encryption is managed at the infrastructure layer by Supabase.

TLS 1.2+ encryption in transit

All API traffic between the Service OS mobile app, the marketing site, and the Supabase back-end uses TLS 1.2 or higher. Plaintext connections are rejected.

Supabase-hosted infrastructure

Koydo Service OS runs on Supabase's managed PostgreSQL infrastructure. Supabase holds SOC 2 Type II certification, covering security, availability, and confidentiality. You get enterprise-grade infrastructure without enterprise-grade complexity.

Access Control

Role-based permissions for operators and employees.

Every Service OS account uses role-based access control (RBAC). No employee sees more than their role requires.

Operator admin role

Full access to the Service OS dashboard: all jobs, all customers, all billing, all team members. Only the business owner or a designated admin holds this role.

Dispatcher role

Can view and assign jobs, manage schedules, and contact customers. Cannot access billing settings, membership pricing, or employee pay data.

Field tech role

Can view their own assigned jobs, mark jobs complete, and log job notes. Cannot access other techs' schedules, customer payment data, or admin settings.

Read-only viewer role

View-only access to reporting dashboards. Suitable for bookkeepers or silent partners who need job and revenue data without write permissions.

GDPR

Data deletion and privacy rights.

Right to deletion. Any customer can request deletion of their personal data. Service OS will purge their account, job history, and payment tokens within 30 days of a verified deletion request.

Data portability. Operators can export their full customer list and job history at any time from the Service OS dashboard in CSV format.

Data processing. Koydo acts as a data processor on behalf of the operator (the data controller). We do not sell, share, or use customer data for any purpose other than operating the Service OS platform for that operator.

Requests. Data deletion and access requests can be submitted to privacy@koydo.app. We will acknowledge within 5 business days and fulfill within 30 calendar days.

COPPA

Note for childcare operators.

Childcare operators must obtain verifiable parental consent before using the Service OS digital check-in feature to collect or store information about children under 13. Service OS provides the check-in infrastructure; it is the operator's responsibility to maintain consent records in accordance with the Children's Online Privacy Protection Act (COPPA) and any applicable state law.

Koydo does not collect data directly from children. All child-related records in Service OS are entered by the parent or guardian at check-in and are accessible only to the operator and authorized staff.

Uptime & Compliance

99.9% SLA and SOC 2 roadmap.

99.9% uptime SLA

Service OS commits to 99.9% monthly uptime for the booking API, customer app back-end, and operator dashboard. Scheduled maintenance windows are announced at least 48 hours in advance.

SOC 2 Type II audit — planned Q3 2026

Planned — Q3 2026

Koydo's own SOC 2 Type II audit is scheduled for Q3 2026. Until then, your data is protected by Supabase's existing SOC 2 Type II certification at the infrastructure layer.

Security questions?

Email security@koydo.app for vulnerability disclosures, enterprise security reviews, or data processing agreements.

Ready to get started?

Book a 30-minute demo and we'll walk through the full platform — including security settings, RBAC roles, and our SOC 2 roadmap — on a live shared screen.