ProductAbout UsPricingUse CasesBlogContact Us
Book a Demo
Features
FAQ
About Us
Product
FeaturesFAQ
Pricing
Use Cases
Blog
Contact Us

Security & Data

Last updated: February 21, 2026

Security at a Glance

Kora Studio is built to help design teams work faster inside Revit—without compromising the confidentiality of your projects or your firm’s data. Security and privacy are treated as product requirements, not afterthoughts.

  • Customer data is owned by the customer; Kora Studio does not sell customer data.
  • Role-based access and least-privilege principles are used to restrict internal access.
  • Encryption is used in transit and (where applicable) at rest for stored data.
  • Security monitoring, backups, and incident response processes are in place.
  • We can provide security documentation under NDA for enterprise procurement.

What Data Kora Studio Processes

Kora Studio can process the following categories of data, depending on your deployment and usage:

  • Account data: names, work email addresses, firm name, role, and authentication details.
  • Product usage data: feature usage events, in-app actions, and performance telemetry for reliability and support.
  • Support data: information you share with our team during support tickets (e.g., screenshots, logs, crash reports).
  • Project data (optional): model-related information necessary to generate outputs (e.g., façade configuration parameters).

We recommend avoiding uploading or sharing sensitive personal data through support channels unless necessary.

Data Ownership and Confidentiality

Your project data remains yours. Kora Studio is designed so that you retain control over your intellectual property and project confidentiality.

  • Customer content is used only to provide and improve the service, deliver support, and maintain security.
  • We do not use customer project content to market your work without written permission.
  • We do not sell customer data or share it with third parties for advertising.

Access Controls

Access to Kora Studio and customer data is restricted using industry-standard access controls.

  • Authentication: support for secure login methods and strong password policies (and SSO/enterprise options where available).
  • Authorization: role-based access controls (RBAC) and least-privilege permissions.
  • Administrative controls: ability to manage users, roles, and access within your organization.
  • Internal access: limited to authorized personnel on a need-to-know basis for support and operations.

Encryption and Data Protection

Kora Studio applies encryption and other safeguards to protect data from unauthorized access.

  • Encryption in transit: TLS is used for data transmitted between your device and Kora Studio services (where applicable).
  • Encryption at rest: stored data is encrypted at rest where supported by the underlying infrastructure and configuration.
  • Secrets management: credentials and keys are stored using dedicated secrets management controls.

Secure Development and Testing

Kora Studio is developed with security in mind across the software lifecycle.

  • Secure SDLC practices: code review, separation of environments, and change management controls.
  • Dependency and vulnerability management: monitoring of third-party libraries and prompt remediation of critical issues.
  • Testing: automated testing and targeted security testing prior to major releases.
  • Principle of minimal data: we aim to collect only what is needed to operate and improve the product.

Operational Security

We use operational controls to reduce risk and maintain service reliability.

  • Logging and monitoring to detect anomalies and support incident response.
  • Backups and recovery procedures designed to protect availability and continuity.
  • Access auditing for administrative and sensitive actions where applicable.
  • Business continuity planning for critical systems.

Incident Response

Kora Studio maintains an incident response process to investigate, contain, and remediate security events.

  • Defined internal escalation paths and triage procedures.
  • Containment and remediation steps aligned to severity and impact.
  • Customer notification practices consistent with contractual obligations and applicable law.
  • Post-incident review to prevent recurrence.

Privacy

Kora Studio is committed to responsible privacy practices. We process personal data to provide the service, maintain security, and support customers.

  • We do not sell personal data.
  • We limit data sharing to what is required to operate the service (e.g., hosting, support tooling), under contractual safeguards.
  • We support privacy rights requests where required by law (e.g., access, deletion).

Compliance and Legal

Many customers require compliance alignment (e.g., GDPR, confidentiality obligations, vendor security questionnaires). Kora Studio supports these reviews through documentation and contractual options.

  • Data Processing Addendum (DPA) available on request for customers requiring GDPR-style terms.
  • Confidentiality agreements available for enterprise engagements.
  • Security questionnaires can be completed for qualified prospects and customers.
  • Note: Specific certifications (e.g., SOC 2, ISO 27001) should be discussed directly with our team, as availability may depend on current audit scope and timeline.

Data Retention and Deletion

We retain customer data only as long as needed to provide the service, comply with legal obligations, and resolve disputes.

  • Account and usage data retention is governed by internal retention schedules.
  • Customer-requested deletion is supported, subject to contractual and legal requirements.
  • Backups may retain data for a limited period before expiration, consistent with recovery needs.

Subprocessors and Third Parties

Kora Studio may use vetted service providers (subprocessors) for hosting, analytics, error reporting, and support operations.

  • We select subprocessors based on security posture and contractual safeguards.
  • We limit subprocessors’ access to the minimum required to provide their services.
  • A current subprocessor list can be provided on request (and can be published publicly once finalized).

Your Responsibilities (Best Practices)

Security is strongest when both vendor and customer follow good practices. We recommend:

  • Use strong authentication (SSO/2FA where available) and limit admin roles.
  • Maintain device security (OS updates, endpoint protection) for all users.
  • Apply firm standards for Revit model handling, access, and sharing.
  • Avoid sharing sensitive personal data in support tickets unless necessary.

Contact

For security questions, vendor assessments, or to request documentation (e.g., DPA, security questionnaire, subprocessor list), contact:

  • Security & Privacy: sales@kora.studio
  • Support: sales@kora.studio

If you believe you have found a security vulnerability, please report it privately. Do not publicly disclose the issue until our team has had an opportunity to investigate and respond.

Book a Demo

See how Kora Studio transforms façade design into build-ready deliverables in minutes.
Book a demo
575 Lexington Ave, 14th
Floor, New York, NY 10022
EmailSalesSupport
Security & DataAbout CompanyBlog
© 2026 Kora Studio
Terms & ConditionsPrivacy Policy