Security

Security built into Kovira from day one

Mandatory multi-factor authentication on every account, multi-tenant isolation, role-based access control with per-member overrides, an immutable audit trail, encryption in transit and at rest, a separate vault for credentials, and SAML 2.0 single sign-on on Teams plans and up. The security model is the default, not an upgrade tier.

Eight things Kovira does so you do not have to

The security model that keeps tenants apart, keeps actions accountable, and keeps secrets where they belong.

Multi-tenant isolation, enforced at every layer

Every workspace is its own tenant, isolated at the schema, the database access layer, and the application layer. Every query carries an explicit tenant context. There is no unscoped query path, so one client's data cannot leak into another's by mistake.

  • Schema-level tenant boundaries on every relationship
  • Database access policies enforced on every core table
  • Application-level tenant context required on every query
  • Privileged access reserved for trusted server-side operations only

Role-based access control with per-member overrides

Four roles - Owner, Admin, Editor, Viewer - cover the standard cases, and per-member overrides handle the rest. A specific user can be granted a permission above their role or have one revoked below it. Authorisation runs through a single helper, so no server action skips the check.

  • Four base roles per workspace
  • Per-member permission grants and revocations
  • Single requirePermission() check on every mutation
  • Per-tenant role assignment for technicians who span workspaces

Mandatory MFA, SSO on Teams and up

Multi-factor authentication is required on every Kovira account on every plan, including the free tier. There is no opt-out. The password reset flow respects the second factor (no MFA bypass through reset). Teams, Business, and MSP plans add SAML 2.0 single sign-on for organisations using Entra ID, Okta, Google Workspace, or any other SAML identity provider. The full position is on the SSO and MFA page.

  • MFA mandatory on every account, every plan
  • MFA-aware password reset (no second-factor bypass)
  • SAML 2.0 SSO on Teams, Business, and MSP plans
  • Server-side session management with revocation

Immutable audit trail across every action

Every write logs who did what, when, from where, and against which resource. The audit trail is always on and cannot be turned off by any user, no matter their role. Logs are filterable, exportable, and intended to satisfy compliance evidence requirements out of the box.

  • CI edits, sign-ins, permission checks, workflow runs, role changes
  • Always on, cannot be disabled
  • Filterable by date, actor, action type, target
  • Exportable for external review

Secrets in a separate vault, not inline on records

Credentials, API keys, and other secrets stored in Kovira live in a separate vault. The configuration item references the vault entry by ID rather than holding the secret inline. Automation payloads have sensitive fields stripped before they touch the database, so workflows cannot accidentally write secrets to the wrong place.

  • Secrets stored in a separate vault
  • Password CIs reference vault entries, never store secrets inline
  • Sensitive field suffixes (_secret, _password, _token, _vault_ref) auto-stripped from automation payloads
  • Per-access audit on vault reads

Encryption in transit and at rest

Every request is served over TLS. Data at rest is encrypted at the storage layer. Customers do not need to provision their own keys; the SaaS handles key management. For agent traffic from VECTOR and ATLAS, requests are cryptographically signed and verified in addition to TLS.

  • TLS on every request
  • Encryption at rest at the storage layer
  • Cryptographically signed agent-to-platform traffic
  • API keys rotatable from the workspace

Hardened request surface

Standard browser and HTTP defences are enabled by default rather than opt-in. CSRF origin checks on every state-changing request, per-request CSP nonces, strict transport security, frame-deny, restrictive referrer and permissions policies, and rate limits on sensitive endpoints.

  • CSRF origin validation on every POST, PUT, PATCH, DELETE
  • Content-Security-Policy with per-request nonces in production
  • HSTS, X-Frame-Options: DENY, restrictive Permissions-Policy
  • Per-IP rate limiting and IP-ban tooling for abusive sources

Compliance posture, ready for evidence

The audit trail, the access control model, the multi-tenant isolation guarantees, and the immutable change history together provide the evidence ISO 27001 and equivalent frameworks ask for. Kovira is built to support customers working towards or maintaining certification.

  • Designed to support ISO 27001 evidence requirements
  • Per-tenant audit log isolation
  • Immutable change history on every CI
  • Exportable audit trail for external assessors

Related

How identity works at Kovira

Mandatory multi-factor authentication on every plan including the free tier, MFA-aware password reset that does not bypass the second factor, and SAML 2.0 single sign-on with Entra ID, Okta, Google Workspace, or any other SAML identity provider on Teams, Business, and MSP plans.

Read the full SSO and MFA position

Reporting a security issue

If you have found a vulnerability or suspect one, please reach out directly. Responsible disclosure is appreciated and acknowledged.

security@kovira.app

Please include reproduction steps and any affected URLs. We acknowledge reports promptly and keep reporters informed through to remediation.

For full scope, safe harbour terms, and response timelines, see the vulnerability disclosure policy.

Security: frequently asked questions

Common questions from security and compliance reviewers.

How does Kovira keep tenants isolated from each other?

Tenant isolation is enforced at every layer of the platform: the database schema, the database access layer, and the application layer that requires an explicit tenant context on every query. There is no unscoped data path, and no shared tables that one tenant can read into another's data through.

How does access control work?

Kovira ships role-based access control with four levels - Owner, Admin, Editor, and Viewer - plus per-member permission overrides for cases where the role default needs to be tightened or relaxed for a specific person. Authorisation goes through a single helper that enforces the override-aware check on every server action.

Is multi-factor authentication required?

Yes. Multi-factor authentication is mandatory for every Kovira account on every plan, including the free tier. The password reset flow is MFA-aware - resetting a password does not bypass the second factor. Sign-in sessions are managed server-side and are revocable.

Does Kovira support Single Sign-On (SSO)?

Yes, on Teams, Business, and MSP plans. SSO uses the standard SAML 2.0 protocol so it works with Microsoft Entra ID, Okta, Google Workspace, OneLogin, and any other identity provider that speaks SAML. The free tier uses email-and-password authentication with mandatory MFA.

What is logged in the audit trail?

Every write action is logged: configuration item creation and edits, sign-ins, permission checks, role changes, workflow runs, password resets, and tenant administration. The audit trail is always on and cannot be disabled. Logs are filterable by date, actor, action type, and target, and can be exported.

How are credentials and secrets stored?

Credentials and other secrets stored in Kovira (for example, password configuration items) live in a separate vault and are referenced by ID from the CI rather than being stored inline. Sensitive fields ending in standard suffixes (such as _vault_ref, _secret, _password, _token) are also stripped from automation payloads before they touch the database.

How is data encrypted?

Data is encrypted in transit (TLS) on every request and encrypted at rest at the storage layer. The platform is operated as a SaaS and customers do not need to provision their own keys to receive these protections.

Is Kovira ready for ISO 27001 audits?

The audit trail, RBAC model, multi-tenant isolation, and immutable change history are designed to provide the evidence ISO 27001 and similar governance frameworks ask for. Kovira is built to support customers working towards or maintaining certification.

How do I report a security issue?

Email security disclosures to security@kovira.app. Please include reproduction steps and any affected URLs. Responsible disclosure is appreciated; we acknowledge reports promptly and keep reporters informed through to remediation.

A security model that is the default, not an upgrade

Multi-tenant isolation, RBAC, MFA, audit, and the secrets vault will be part of every Kovira plan, including the free tier.

Explore featuresGet notified when we launch