Privacy Policy

Last Updated: March 3, 2026

Kovera ("we," "our," or "us") is committed to protecting the privacy and security of the data entrusted to us by our customers. This Privacy Policy outlines how we collect, use, and safeguard information within our security scanning platform.

1. Data Collection and Usage

We collect information necessary to provide our automated compliance and security scanning services, including:

• Account Information: Name, email address, and organization details.
• Technical Data: IP addresses, browser types, and system logs required for platform security and performance monitoring.
• Scan Data: Metadata related to your security scans, used exclusively to generate your compliance reports.
• Zero-Knowledge Architecture: Kovera implements a strict Zero-Knowledge architecture. Your source code is analyzed locally on your machine and is never uploaded to or stored on Kovera's servers. Only compliance metadata and remediation suggestions are sent to our cloud for report generation. This ensures complete privacy of your proprietary code.
• AI Processing & Governance: Code submitted for scanning and analysis is processed by our AI models for vulnerability detection and remediation purposes only. Your source code is never used for training, fine-tuning, or improving our AI models. All code processing is isolated and retained only for generating your security reports and fixes. Our AI systems are bias-tested and audited for fairness compliance with Colorado AI Act requirements.
• Agent Audit Logs & Session Metadata: When using Kovera's Agent Governance V2 system, we automatically collect and store comprehensive audit logs including: (1) Risk Scoring Data - all agent actions are scored on a 0-100 CVSS-based risk scale with scoring rationale; (2) MFA Verification Events - records of Multi-Factor Authentication prompts, approvals, and the identity of approving users; (3) Action Logs - timestamps, agent names, action types, and decision outcomes for all autonomous actions; (4) Session Metadata - session start/end times, durations, action counts, and aggregate statistics. All agent session and audit log data is restricted to the initiating user's account and is never shared across users. These logs are cryptographically signed and immutable, providing tamper-proof compliance records for audits.

2. Security Logs & Audit Trail

Kovera maintains a comprehensive security audit trail (PrivacyLog) to protect your account and detect malicious activity:

• IP Address Logging: Client IP addresses are logged for all authentication attempts, API calls, and suspicious activities. IP logs are retained for security threat analysis and are used to detect and prevent SQL injection, cross-site scripting (XSS), and other attack patterns.
• Access Logs: Failed login attempts, unauthorized access attempts, and MFA events are logged with timestamps for audit purposes.
• Threat Detection: Logs are analyzed to identify suspicious patterns, block malicious IP addresses, and alert you of potential security breaches affecting your account.

3. Data Security & Encryption

As a security-first organization, we implement industry-standard technical and organizational measures to protect your data. All data in transit is encrypted using TLS 1.2+, and data at rest is protected using AES-256 encryption.

4. Third-Party Processors

We partner with leading service providers to ensure a seamless experience:

• Payments: All financial transactions are processed by Stripe. Kovera does not store or see your credit card information.
• Infrastructure: Our services are hosted on secure, SOC2-compliant cloud infrastructure.

5. Data Retention

We retain your information only for as long as necessary to provide our services or comply with legal obligations. Customers may request data deletion at any time by contacting our support team.

6. Your Rights & Compliance (GDPR/CCPA)

Kovera respects the data rights of users globally. You have the right to access, correct, or delete your personal data.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You can request what personal information Kovera collects, uses, and shares about you.
• Right to Delete: You can request that Kovera delete the personal information we have collected from you (with certain exceptions).
• Right to Opt-Out: You can opt out of the sale or sharing of your personal information.
• Right to Correct: You can request correction of inaccurate personal information.
• Right to Data Portability: You can request your personal information in a portable and readily useable format.

To exercise these rights, please contact us at contact@kovera.tech with your request. We will respond within 45 days.

For all privacy-related inquiries, please contact us at the address below.