Security is not an afterthought at Kova. Here is how we keep your data safe at every layer.
All stored API keys are encrypted using AES-256-GCM, the same standard used by banks and governments. Each key has a unique initialization vector (IV), and the authentication tag ensures data integrity. Keys are never stored in plaintext or logged.
You control your AI spending. Provide your own OpenAI, Anthropic, or Groq API keys. Charges go directly to your provider account. We only decrypt your key at the moment of an API call and never retain it in memory beyond the request lifecycle.
Every database query is scoped to your authenticated user ID. Conversations, messages, settings, and API keys are all isolated. No other user can access your data, even if they guess a resource ID.
We use Upstash Redis-backed rate limiting to prevent abuse. Chat endpoints are limited per-user per-hour. Authentication endpoints have stricter limits to prevent brute-force attacks. Password reset requests are limited to 3 per 15 minutes.
All responses include strict security headers: X-Content-Type-Options (nosniff), X-Frame-Options (DENY), X-XSS-Protection, Referrer-Policy (strict-origin-when-cross-origin), and a restrictive Permissions-Policy for camera and microphone access.
Passwords are hashed using Argon2, the winner of the Password Hashing Competition. Account lockout is enforced after repeated failed login attempts (5+ attempts = 5 min lock, 10+ = 30 min lock). All login attempts are audit-logged.
Have a security concern or found a vulnerability?
Contact us at security@kova.ai