Security
How Kovarro protects your team's data
The technical controls, the policies, the compliance roadmap. The plain version - no marketing fluff.
The pillars
What's in place today
Encryption
TLS 1.3 in transit. AES-256 at rest for the database and object storage. Secrets handled by the platform's secret store, never logged.
Tenant isolation
Every query is scoped to the workspace at the database level. Two customers on the same instance can never read each other's data even if the application layer fails open.
Authentication
Argon2id password hashing, JWT access tokens with rotating refresh tokens, optional TOTP 2FA, optional SSO / SAML on Business and Enterprise.
Role-based access
Custom roles per workspace, permission matrix at the action level (create / read / update / delete on every resource), audit log of admin actions on Business and above.
Backup + recovery
Postgres backups nightly with 30-day retention. Storage layer (R2) versioned by default. Restore tested quarterly on a staging clone.
Compliance roadmap
SOC 2 Type I targeted for late 2026, GDPR DPA available on request, data residency (EU + US) on the Enterprise tier.
FAQ
The questions buyers actually ask
Is my data encrypted?
Yes - TLS 1.3 in transit and AES-256 at rest. Customer secrets (API tokens, SSO secrets) are stored in a separate secret store with envelope encryption.
Where is my data stored?
Primary region is EU-West (Frankfurt). Enterprise tier offers data residency in additional regions (US-East, AP-South). Multi-region replication is on the roadmap.
Do you have a Data Processing Agreement (DPA)?
Yes - email [email protected] for the GDPR DPA template. We countersign within 1 business day for Business and Enterprise customers.
How do you handle security incidents?
Incidents are triaged within 1 hour, customer notification within 24 hours, post-mortem published within 5 business days for any incident with confirmed customer impact.
Can I export my data on cancellation?
Yes - JSON + CSV export of every workspace, including attachments, available on demand. Data is retained for 30 days after cancellation, then deleted.
Do you have a public security contact?
Yes - [email protected]. We respond to responsible-disclosure reports within 1 business day and credit researchers in the changelog.
Found a vulnerability?
Email [email protected] - we respond within one business day. Credit goes to researchers in the changelog.
Talk to us about security
Business and Enterprise customers get a security questionnaire pre-filled and a 30-minute review call before signing. Book it on the demo page.