Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.kombo.dev/llms.txt

Use this file to discover all available pages before exploring further.

Data Residency Options

Kombo runs fully independent regional deployments. You choose your region during onboarding, and all data processing stays within that region. If you operate globally, you can also receive separate Kombo environments in multiple regions (for example, an EU environment and a US environment under the same tenant). Each environment is fully isolated and follows the residency guarantees of its own region.

Available Regions

RegionAPI EndpointLocation
EUapi.kombo.devEurope
USapi.us.kombo.devUnited States

Architectural Isolation

Each region operates its own isolated infrastructure — API servers, databases, sync workers, and object storage are all region-scoped. There is no cross-region data access:
  • API keys created in one region cannot authenticate against the other region’s API.
  • PII of end-customers never leaves the selected region.
  • Regional resources (integrations, synced data, logs) cannot be shared across regions.
The global dashboard frontend routes to the correct regional backend based on your tenant configuration. The dashboard itself does not store customer data — it connects to your region’s backend for all operations.

Compliance and Security

Certifications

  • ISO 27001 Certified
  • SOC 2 Certified
  • GDPR Compliant

Data Security

  • Encryption at rest: All stored data is encrypted.
  • Regular penetration testing: Independent security audits verify our controls.
  • API key security: Keys support IP allowlisting, expiration, and individual revocation.
  • Role-based access: Dashboard users are assigned roles that control what environments and actions they can access.
  • SSO and MFA: Available for dashboard authentication (subject to your plan).
  • Audit logs: All sensitive operations (key management, configuration changes) are logged.
For the full details on our security practices, visit our Security Center.

Data Retention

  • Integration data: When an integration is deleted, all of its data is removed after 14 days. See the full deletion policy.
  • Logs: Sync, action, and request/response logs are retained for a fixed default period. Longer retention is available on Enterprise plans — reach out to the Kombo team for details.

GDPR deletion requests

Kombo does not own the source-of-truth record for end-customer data — the underlying HRIS or ATS does. GDPR deletion requests therefore follow this flow:
  1. The data subject requests deletion from the company that operates the connected ATS or HRIS.
  2. That company removes the record from their HRIS or ATS.
  3. On the next sync, Kombo detects that the record is no longer present in the upstream system and mirrors the deletion in our database.
This means Kombo’s data stays consistent with what the customer has in their own HR or recruiting system without us needing to act as a separate controller for deletion requests.

Additional Information

If you have specific questions or need detailed information for a security questionnaire, reach out to the Kombo team or visit our Security Center.