Kolva
Sign inStart Free Trial

Security & Compliance

Kolva is built with enterprise-grade security from the ground up. Your data is protected by multiple layers of defense, strict access controls, and continuous monitoring.

Certifications & Compliance

In Progress

SOC 2 Type II

Service Organization Control audit covering security, availability, and confidentiality. Expected completion Q2 2026.

Active

GDPR Compliant

Full compliance with the EU General Data Protection Regulation. DPA available for all customers.

Active

CCPA Compliant

California Consumer Privacy Act compliance. Data access, deletion, and opt-out rights fully supported.

Security Measures

Encryption

  • TLS 1.3 for all data in transit
  • AES-256 encryption at rest
  • End-to-end encryption for sensitive API keys
  • SHA-256 hashing for stored credentials

Access Control

  • Role-based access control (RBAC) with 5 permission levels
  • Row-Level Security (RLS) enforced at database level
  • Multi-factor authentication (MFA) available
  • Session management with automatic timeout

Infrastructure

  • Hosted on SOC 2 certified infrastructure (AWS/Vercel)
  • Database hosted in EU (AWS eu-central-1, Frankfurt)
  • Automated daily backups with point-in-time recovery
  • Geographic redundancy and failover capabilities

Monitoring & Response

  • 24/7 automated security monitoring
  • Real-time anomaly detection and alerting
  • Incident response team with <4h response SLA
  • Regular penetration testing by third parties

Development Practices

  • Secure development lifecycle (SDLC)
  • Automated dependency vulnerability scanning
  • Code review required for all changes
  • Staging environment testing before production

AI Security

  • Customer data never used for AI model training
  • AI processing via encrypted API — no data retention by providers
  • AI features can be disabled per-account

On-Premise Agent Security

Kolva connects to your ERP (Sage X3, SAP Business One) via a lightweight agent that runs entirely on your corporate network. The agent is strictly read-only — it extracts data and sends it to Kolva over HTTPS. It never writes, modifies, or deletes anything in your ERP.

Unidirectional Data Flow

Your network
ERP
Sage X3 / SAP
SELECT / GET only
Your network
Kolva Agent
Node.js service
HTTPS POST
EU (Frankfurt)
Kolva Cloud
PostgreSQL / AES-256

No write path exists from Kolva to your ERP. The data flow is strictly one-way.

Read-only by design

The agent source code contains exclusively SELECT queries (Sage X3) and GET requests (SAP). No INSERT, UPDATE, DELETE, or any write operation exists in the codebase. This is architecturally enforced — not just a policy.

Runs on your network

The agent runs entirely within your corporate network. It connects to your ERP locally and sends data outbound to Kolva over HTTPS. No inbound ports are opened, no VPN tunnels are required.

SQL read-only account

We recommend connecting the agent with a dedicated SQL user that has only SELECT permissions. Even if the agent code were modified, the database account physically cannot write or delete data.

Auditable source code

The full agent source code is available for review by your IT team before deployment. Unlike proprietary ERP connectors, you can verify every SQL query and HTTP call the agent makes.

No credentials leave your network

Your ERP credentials (SQL login, SAP API key) are stored locally in the agent's .env file on your server. They are never transmitted to Kolva's cloud. Authentication to Kolva uses a separate, revocable API key.

Data stored in EU

All synchronized data is stored in a PostgreSQL database hosted on AWS eu-central-1 (Frankfurt, Germany). Data never leaves the European Union. Encrypted at rest with AES-256.

How Kolva Compares to Industry Standards

Kolva follows the same security standards as Sage and SAP for third-party integrations, with the added benefit of full source code transparency.

Security FeatureKolvaSage X3SAP B1
Read-only accessSELECT / GET hardcodedRead-only API representationsAuthorization levels (Read-Only)
Encryption at restAES-256AES-256AES-256
Encryption in transitTLS 1.3TLS 1.2+TLS 1.2+
Data locationEU (Frankfurt)On-premise or Sage cloudOn-premise or SAP cloud
CertificationsSOC 2 (infra), GDPRSOC 1/2, ISO 27001ISO 27001, SOC 1/2
Source code auditFull source availableProprietaryProprietary
Credential storageLocal .env onlyVaries by connectorVaries by connector

Sub-processors

ProviderPurposeLocation
SupabaseDatabase & AuthenticationEU (AWS Frankfurt)
VercelApplication HostingUS (Global CDN)
StripePayment ProcessingUS
ResendTransactional EmailUS
InngestBackground Job OrchestrationUS

Last updated: February 28, 2026. We notify customers 30 days before adding new sub-processors.

Responsible Disclosure

We value the security community. If you discover a vulnerability, please report it responsibly. We commit to acknowledging reports within 24 hours, providing updates within 72 hours, and resolving critical issues within 7 days.

security@kolva.ai