Security, compliance, and data protection at Kolva. Everything you need to evaluate our platform for your organization.
Security Overview
Kolva is built with security from the ground up. Multiple layers of defense protect your data across infrastructure, application, and AI processing.
AES-256 encryption at rest. TLS 1.3 for all data in transit. End-to-end encryption for API keys.
Role-based access control (RBAC), row-level security at database level, API key hashing with SHA-256.
Supabase on AWS (eu-central-1, Frankfurt). Vercel Edge CDN. SOC 2 compliant hosting across the stack.
Customer data is never used for model training. AI processing is ephemeral -- no data retained by providers.
Real-time security alerting, anomaly detection. 24/7 automated infrastructure monitoring.
Immutable audit logs tracking all user actions — logins, role changes, API key management, data exports, integrations. 36-month retention, zero deletions.
Secure SDLC with mandatory code review. Automated dependency scanning. Staging environment testing.
Compliance Status
In Progress — Audit logging enabled, all user actions tracked, immutable logs with 36-month retention. Service Organization Control audit covering security, availability, and confidentiality. Expected Q2 2026.
Full compliance with the EU General Data Protection Regulation. DPA available for all customers.
California Consumer Privacy Act compliance. Data access, deletion, and opt-out rights fully supported.
Information security management system certification. On the roadmap for 2027.
Kolva does not process protected health information (PHI). Not in scope.
Data Handling
Primary region: EU (AWS eu-central-1, Frankfurt). US region available on request for Enterprise plans.
AES-256 at rest for all stored data. TLS 1.3 in transit for every API call, webhook, and agent sync.
Configurable per company. Default: 36 months. Data deletion on request within 30 days. Full GDPR export.
Daily automated backups with point-in-time recovery. 30-day backup retention. Encrypted in transit and at rest.
ERP agents run on your corporate network. Data stays local until synced over HTTPS. No inbound ports required.
No write path exists from Kolva to your ERP. The data flow is strictly one-way. No inbound ports required.
Sub-processors
| Provider | Purpose | Location | Compliance |
|---|---|---|---|
| Supabase | Database & Authentication | AWS EU (Frankfurt) | SOC 2 |
| Vercel | Hosting & CDN | Global Edge | SOC 2 |
| Stripe | Payment Processing | US / EU | PCI DSS Level 1 |
| Resend | Transactional Email | US | SOC 2 |
| Anthropic | AI Processing (Claude) | US | SOC 2 |
| OpenAI | Speech Processing (Whisper) | US | SOC 2 |
| Inngest | Task Orchestration | US | SOC 2 |
| Upstash | Rate Limiting & Caching | Global | SOC 2 |
Last updated: March 2026. We notify customers 30 days before adding new sub-processors.
Documents & Resources
How we collect, use, and protect your data.
Legal terms governing use of the Kolva platform.
GDPR-compliant DPA for enterprise customers.
Information about cookies and tracking technologies.
Detailed security measures and certifications.
Uptime guarantees, response times, and remedies.
Live system status and incident history.
Incident Response
< 1 hour
Response time for critical incidents
< 4 hours
Customer notification for data incidents
5 days
Post-mortem published (business days)
We maintain a public status page with real-time uptime monitoring and incident history.
View system statusOur team is ready to help with security assessments, compliance questionnaires, or any data protection inquiries. We also welcome responsible vulnerability disclosures.
21-day free trial. No credit card required.