How we research and what we cite.

For each vendor we analyze, we read:

• The vendor's published privacy policy, terms of service, and any subprocessor list
• The vendor's security architecture documents or white papers (when published)
• The vendor's transparency reports for the most recent published period
• Publicly-disclosed incident reports from the vendor or from regulators (CISA, ICO, breach-notification filings)
• Relevant protocol specifications where the vendor cites them (Signal Protocol, MLS RFC 9420, etc.)
• Court filings and government oversight documents where they describe vendor data-handling (Section 215 reports, ECPA filings, etc.)

We do notreverse-engineer products, do not analyze leaked internal documentation, and do not have access to non-public vendor architecture. Where a public document is silent on a question, we either state that the question is unanswered, or omit the row. We don't guess.

Vendor terms, architectures, and feature surfaces change. Our update cadence:

• Every 90 days: we re-read each major vendor's privacy policy + terms + transparency report for material changes
• Within 48 hours of a public disclosure: we update relevant pages when a vendor publishes an incident, policy change, or new security feature that affects our claims
• Whenever you tell us: if you spot something inaccurate, we re-review it as a priority and publish the correction with the date

Each comparison page has a last-reviewed implicit date via the sitemap's lastmodfield. We don't yet display a per-page review date in the UI — that's on the roadmap.

We are a workspace-tool vendor evaluating other workspace-tool vendors. Two important caveats follow from that:

• We're not an independent auditor. Our analysis is not a compliance certification, an attestation, or a substitute for one. Decisions that depend on regulatory compliance (HIPAA, SOC 2, ISO 27001, attorney-client privilege, GDPR specifics) should be validated with your own compliance counsel.
• We have a stake in the outcome. Koaich exists as an alternative to the vendors we compare against. We try to describe their architectures accurately and non-disparagingly, but the analysis is published by an interested party — that's us. Treat it as one input, not the only input.
• Our own architecture is documented separately at /security. We invite independent audit of our cryptographic claims and have committed to publishing the audit when it's done (currently scoping with security firms).

If you see a specific factual claim on any page that you believe is inaccurate or out of date, please email hello@koaich.com with:

• The URL of the page
• The specific claim (quote it)
• The source you believe is more accurate (a link is best)

We commit to:

• Acknowledge receipt within 2 business days
• Publish a correction (or a written explanation of why we believe the original was right) within 5 business days
• Date the correction so readers know what changed and when

This is the working bibliography behind every claim on the comparison and analysis pages. If you read a claim and want to verify it, the source is here.

For trust, it's worth being clear about claims we deliberately avoid making:

• "Slack lies" / "Notion betrays its users" — these are bad-faith framings. The vendors made architecture choices that prioritize features over privacy; that's a trade-off, not a betrayal. We describe the trade-off; we don't moralize about it.
• "Koaich is more secure than Signal" — we're at Signal-parity for 1:1 messaging cryptography, ahead on groups (MLS) and on workspace surface. We don't claim victory over Signal in messaging-only — they're still the gold standard there.
• "HIPAA-compliant" / "SOC 2 certified" — we're not, yet. Compliance work is on the roadmap. We don't pre-claim certifications we don't hold.
• "Unhackable" / "100% private" / "military-grade" — every system has a threat model with limits. Ours is documented at /security. We describe specific cryptographic primitives (nacl.box, MLS RFC 9420, Shamir, WebAuthn) instead of marketing tropes.