What does this actually do?

Kodo asks ChatGPT, Google, Siri, Yelp, and a few other places the same questions your neighbors ask, like "best barber near me" or "good tacos downtown." We see if you come up. If you don't, we tell you what's missing and walk you through fixing it. Most of the fixes take five minutes and cost nothing.

Is my business on ChatGPT?

Maybe. ChatGPT only recommends about 1 in 100 local businesses for any given search, so most shops are invisible until someone fixes the basics. Type your business name into the check at the top of this page and you'll see exactly where you show up and where you don't, within about 30 seconds.

Do I need to be technical to use Kodo?

No. If you can type your business name, you can use Kodo. The report is in plain English. Every fix has a one-button option or a short step-by-step. There is no code, no settings file, no marketing jargon. If something is confusing, tell us and we'll rewrite it.

How much does it cost?

The first check is free. After that, $19 a month gets you monthly tracking on one business and ten searches you care about. $39 a month adds reviews, citations, and three competitors. $79 a month is the works, including unlimited searches, automated posts, and review request automation. No contract, cancel anytime.

Why does this matter now?

More than half of consumers used AI tools to find a local business last year, up from less than one in five the year before (BrightLocal 2025). When somebody asks ChatGPT or Siri for a barber, a restaurant, or a mechanic, the AI picks a handful of names. If you're not one of them, the customer never sees you.

What's different about Kodo vs other tools?

Most local SEO tools were built for marketers, not owners. They use words like "citation," "schema," and "share of voice," and they cost $50 to $300 a month. Kodo starts at $19, speaks plain English, and focuses on what AI assistants say about you, not just Google. We're built for the person running the shop.

What does the free check actually show me?

A single grade for how AI sees you today, three specific things that are hurting you (in plain words, like "your Google profile is missing photos"), a side-by-side with one competitor nearby, and three suggested fixes. The first fix is always free. The whole thing takes about 30 seconds to run.

Can I try Kodo before paying?

Yes. The instant check on the homepage is free and doesn't ask for your card. Paid plans include a 14-day free trial so you can see how the monthly tracking and fixes work before any charge. If it isn't useful in those 14 days, just don't continue. We won't chase you.

Security · Kodo

Infrastructure

Kodo runs on Vercel for hosting and compute, with a managed Postgres database (Neon) for application data. When we need object storage (for example, the PDF reports on Win plans), we use Vercel Blob. Our primary deployment region is the United States. Vercel handles edge traffic, TLS termination, and DDoS mitigation at the network edge. Neon handles database replication, point-in-time recovery, and managed backups.

Both vendors publish their own security documentation, which you can read directly: vercel.com/security and neon.tech/security. Both are SOC 2 Type II certified.

Encryption

All traffic between your browser and Kodo is encrypted with TLS 1.2 or higher. We do not accept connections over plain HTTP. Database connections from our application servers to Postgres are also TLS-encrypted. Data at rest in the database is encrypted using AES-256 by the database provider. Managed backups are encrypted with the same standard.

We do not store passwords. Authentication is handled by Clerk, which uses industry-standard password hashing and supports modern passwordless options (passkeys, magic links, social sign-in).

Authentication and access

End-user authentication is handled by Clerk. Clerk supports multi-factor authentication (MFA) for accounts that enable it, and we recommend turning it on. Sessions use secure, HTTP-only cookies with the Secure and SameSite flags set.

Internal access to production systems is limited to the small team of engineers who need it to operate the service. Every team member signs in to vendor consoles through single sign-on with MFA required. Production database access is logged. We rotate credentials on a regular schedule and immediately when a team member's role changes.

Application security

The application follows standard web security practices:

Content Security Policy headers to limit what scripts and resources the browser will load.
Strict Transport Security (HSTS) so browsers will refuse to talk to Kodo over plain HTTP.
Secure, HTTP-only, SameSite cookies for any session state.
Parameterized database queries through our ORM. We don't build SQL by string concatenation, which closes the door on injection at the source.
Server-side input validation on every API endpoint, using schema validation libraries.
Rate limiting on public endpoints (including the free check) to slow down abuse and credential-stuffing attempts.
Dependency scanning on every pull request so we notice when a library we use has a known vulnerability.

Third-party processors

We use a short list of vendors to deliver the product. Each one was picked because their security posture is well-documented and appropriate for the data they handle:

Vercel for hosting, edge compute, and TLS.
Neon for managed Postgres, backups, and point-in-time recovery.
Clerk for end-user authentication and session management.
Stripe for payment processing. Stripe is PCI-DSS Level 1 certified. We never see or store full card numbers; Stripe handles all of that on their own infrastructure.
Resend for transactional email (your report, monthly updates, security notices).
AI assistant APIs from OpenAI, Anthropic, Google, and xAI, used to run the checks we promise. We send the public questions a customer would ask (for example, "best barber in Pilsen"). We don't send account data or personal information.

Full vendor list and what each one processes lives in our privacy policy.

Monitoring and incident response

We monitor production for unusual traffic patterns, error spikes, and failed authentication attempts. Critical alerts page the on-call engineer. We review logs weekly and after any meaningful incident.

If we discover a security incident that affects user data, we will notify affected users without undue delay, and in any case within 72 hours of confirming the incident. This matches the GDPR notification timeline. The notice will tell you what happened, what data was involved, what we've done about it, and what (if anything) you should do on your end.

Backups and recovery

The database is backed up daily by the managed Postgres provider, with point-in-time recovery for the last 7 days. Backups are encrypted and stored in the same region as the primary database. We test the restore procedure quarterly against a staging environment so we know it actually works before we need it.

Privacy and data minimization

We collect the minimum needed to run the check and deliver the report: your business name, the city you're in, and (on paid plans) the email address where we send updates. We don't ask for your card on the free check. We don't sell data. We don't share your account information with other customers.

The full breakdown of what we collect, how long we keep it, and how to ask for deletion lives in the privacy policy.

What we don't do yet

Being honest about the gaps matters as much as listing the practices. Here's what we don't have today:

SOC 2 certification. We follow the practices a SOC 2 audit looks for, but we are not yet certified. We plan to pursue SOC 2 Type II as we grow.
Formal bug bounty program. We don't run a paid bounty yet. We do accept and respond to vulnerability reports at [email protected] (see below).
Custom security questionnaires for enterprise procurement. We're focused on small businesses, not enterprise procurement cycles. If you need a deep security review for a large organization, Kodo isn't the right fit yet.
Penetration test reports on demand. We do internal security reviews on every major release. Third-party penetration testing is on the roadmap.

Report a vulnerability

If you think you've found a security issue in Kodo, please email [email protected]. Include the steps to reproduce, the impact you think it has, and any proof-of-concept you're comfortable sharing. We respond within 5 business days, usually within 1.

We won't take legal action against good-faith security research, as long as you don't access user data beyond what's needed to prove the issue, you don't degrade service for other users, and you give us a reasonable window to fix the problem before public disclosure.

Last updated: 28 May 2026. Kodo is a small team. This page describes our current practices, not a certification. We update it as the product evolves.

Is Kodo SOC 2 certified?

Not yet. We follow the security practices a SOC 2 audit looks for (encryption in transit and at rest, limited and audited production access, managed backups, incident response), and we plan to pursue SOC 2 Type II certification as we grow. If you need a certified vendor today, Kodo isn't the right fit yet.

Where is my data stored?

On managed Postgres (Neon) in the United States, with daily encrypted backups and point-in-time recovery for the last 7 days. Application hosting runs on Vercel, also in a US region. Both providers are SOC 2 Type II certified.

Is the connection to Kodo encrypted?

Yes. All traffic between your browser and Kodo uses TLS 1.2 or higher. We don't accept plain HTTP connections. The same TLS encryption protects connections between our servers and the database.

How do I report a security issue?

Email [email protected] with steps to reproduce, the impact you think it has, and any proof-of-concept. We respond within 5 business days. We won't take legal action against good-faith research that respects user data and gives us a reasonable window to fix the issue.

Do you offer a security questionnaire for enterprise procurement?

Not yet. Kodo is built for small businesses, so we don't currently complete custom security questionnaires for enterprise procurement teams. The practices we follow are listed on this page. If you need more, get in touch and we'll tell you honestly whether we can help.

Security at Kodo