Security

Last updated: April 23, 2026

Kopi handles your approval data and Lark credentials. We take this seriously. This page is an honest description of our controls — no marketing fog.

Where your data lives

  • Singapore region — Supabase (Postgres) in ap-southeast-1. PDPA-compliant. Your data does not leave Singapore except for AI inference.
  • Tenant isolation — every tenant's rows are scoped by tenant_id, accessed only with that tenant's authentication. Pattern memory is never shared across tenants.
  • Encryption at rest — Supabase encrypts all data at rest using AES-256.
  • Encryption in transit — HTTPS enforced on every domain and route. HSTS enabled.

Lark credentials

Your Lark App ID and App Secret are stored in our database with restricted access. Only the server-side functions that call Lark APIs can read them. They are never exposed to client-side JavaScript, API responses, or logs.

AI processing

Invoice attachments and form contents are sent to Anthropic Claude for parsing and analysis. Anthropic's API (model claude-sonnet-4-6) operates with zero data retention by default — your content is processed in-memory for the request and not stored, cached, or used for training.

We do not opt into any Anthropic data-sharing features. We do not fine-tune any model on your data.

Attachment handling

Invoice PDFs and images are downloaded from Lark only when processing an approval. They are sent to Claude for analysis, the structured extraction is written to our database (vendor, amount, etc.), and the raw attachment is not persisted in our infrastructure after the request completes.

Authentication

  • Magic-link email sign-in (no passwords to steal).
  • Google OAuth 2.0 available as an alternative.
  • Session cookies are HttpOnly + Secure + SameSite=Lax.
  • Auth tokens are single-use with 15-minute expiry.

Webhooks from Lark

Every inbound webhook from Lark is signature-verified against the app's encrypt key (when configured). Unauthenticated requests are rejected. Duplicate events are deduplicated via a database UNIQUE constraint.

Operational security

  • Access control — production database and Vercel environment variables restricted to the founding team.
  • Logging — we log approval-event metadata for debugging but never form-field values or attachment contents.
  • Backups — Supabase performs daily point-in-time backups with 7-day recovery window.
  • Patching — dependency updates reviewed weekly; security advisories applied within 48 hours.

What we don't have (yet)

Being honest about where we are in our maturity:

  • SOC 2 Type II (planned post-GA; early enterprise customers get vendor-assessment questionnaire support).
  • Single Sign-On / SAML (on the roadmap for the Full plan).
  • Customer-managed encryption keys (only viable at enterprise scale).

If these are blocking for your org, email us — we're willing to prioritize based on customer need.

Reporting a vulnerability

Responsible disclosure is welcomed. Email hello@kopi.sg with "Security" in the subject. We'll acknowledge within 48 hours, validate within 7 days, and coordinate a fix.

Contact

hello@kopi.sg