Security and Compliance represent key aspects of any product your team uses. Karia is committed to securing access to your data, eliminating systems vulnerabilities and ensuring continuity of access.
Karia uses an array of industry-technologies and services to protect your data against unauthorised access, disclosure, use, and loss.
All Karia Administrators undergo background checks and are routinely trained on security practices both during company onboarding and on a quarterly basis.
Compliance Certifications
SOC2 Type 1
Karia is currently being certified against SOC2 Type 1 as of 11 June 2025 powered by Vanta compliance tools. Once completed to access a copy of our SOC2 Type 1 report, please reach out to security@karia.com.au
ISO 27001
Karia is currently being certified against ISO 27001 as of 11 June 2025 powered by Vanta compliance tools. Once completed to access a copy of our ISO 27001 report, please reach out to security@karia.com.au
Vulnerability Disclosure Policy
Karia maintains a public Vulnerability Disclosure Policy at karia.com.au/legal/disclosure-policy
We take vulnerability disclosures extremely seriously. Once disclosures are received, we rapidly verify each vulnerability contained within the report before taking the necessary steps to contain and remediate the issue.
Once verified, we will periodically send status updates as the problems are fixed, and will endeavour to work with the reporter to coordinate public disclosure should they so wish.
Karia has a well documented response process for the detection and resolution of Security Incidents.
Infrastructure and Network Security
Physical Access Control
The Karia Platform is hosted exclusively on Amazon Web Services.
Amazon Web Services maintains both ISO 27001 certification and SOC 2/3 reports, which can be accessed via their compliance page.
Access Control
Karia infrastructure on Amazon Web Services can only be be accessed by a group of authorised Karia employees who are subject do extended background checks and regular training. Privileged access to Karia infrastructure is assigned in a Just-in-Time (JIT) fashion for a limited time and requires strong authentication. Each access request requires a business justification and management approval.
Administration rights (including SSH, Database Access, and Infrastructure Configuration) are tightly controlled and restricted to a very small number of our team.
Business Continuity and Disaster Recovery
Access High Availability
Every part of the Karia platform uses automatically provisioned, redundant servers to protect against failure.
Servers are regularly taken in and out of operation throughout the day as part of our routine operation without affecting availability.
Business Continuity
Karia keeps regular daily and weekly backups of data in multiple geographic locations on Amazon Web Services.
All backups are stored in an encrypted form.
In the case of platform-wide production data loss, we are able to restore data from these backups.
We regularly test our ability to restore our infrastructure from the backups we maintain.
We routinely verify the integrity of the backups that we hold.
Disaster Recovery
Karia primarily serves traffic from a single geographic region spread across multiple availability zones.
In the unlikely event of a prolonged regional outage, we maintain a documented procedure for provisioning our deployment environment in a separate region.
Karia has an extensively documented Incident Response Process that includes documented procedures for Business Continuity and Disaster Recovery.
Application Security
Temporary Passcode Login
Karia provides users with the ability to sign in using temporary passwords.
Temporary passwords are valid for one hour and one-use after they are issued and have several automated defenses against brute force attacks.
Sign In with Google
Karia allows users to login using their Google or Google Workspace account.
Karia participates in the Google Security Assessment program, meaning our Sign In with Google flow is assessed for Security and Privacy annually by a Google nominated third-party auditor.
SAML 2.0
Customers on our Enterprise plan can enable SAML-based authentication.
Workspaces are optionally able to force all of their users to authenticate using SAML 2.0 to align with their own authentication requirements.
Secure Application Development Process
Karia uses a Continuous Integration and Continuous Deployment model which means all of our code changes are committed to a Source Code Repository, reviewed, tested, and shipped to our customers in a rapid sequence. Every source code change is tracked on GitHub.
Our rapid iteration development model significantly improves our response time to bugs, vulnerabilities, and security incidents.
Corporate Security
Karia believes that good security applies equally to our team as to our platform. Which is why we have best in class facilities management and security on site.
Contingency Planning
Karia places the Availability and Confidentiality of our platform at the top of our priorities.
Karia maintains a comprehensive Incident Response Process that includes designated Disaster Recovery and Customer Communication plans.
We update our Incident Response Process at least annually.
Security Policies
Karia maintains a comprehensive set of documented Security Policies in our company wiki.
Our policies are designed in accordance with ISO 27001, and are updated on an ongoing basis.
Security Training
Karia maintains a comprehensive internal Security Training program for our team.
All Karia employees receive security training upon joining the team and annually thereafter.
Members of Karia's engineering team receive regular additional training that covers secure development practices, such as the OWASP Top Ten, in addition to our internal policies.
Incidence Response Policy
Karia follows a CERN (Contain, Eradicate, Recover, and Notify) Security Incident Response Process.
Where a Security Incident affects the Confidentiality of customer data, Karia will contact the registered administrators of the workspace.
Karia maintains a public status page at status.karia.com.au, which reports on operational issues.
Anyone can subscribe to updates via email from the status page.