Sub-processors

Sub-processors

To run Kovira we rely on a small set of trusted providers that may handle personal information on our behalf. Each is bound by contract to handle data in line with our obligations under the Australian Privacy Principles, the New Zealand Information Privacy Principles, and the GDPR where it applies. We do not sell your data and we never share it with advertising platforms.

Current sub-processors

Current Kovira sub-processors, with purpose, data handled, region, and transfer mechanism
ProviderPurposeData handledRegionTransfer
SupabaseDatabase, authentication, file storage, and the encrypted secret vault.All workspace content and account data.Managed database region; may be processed outside your country.SCCs where GDPR applies; APP 8 comparable-protection basis for Australian data.
VercelApplication hosting, the global edge network, and consent-gated analytics and performance telemetry.Request metadata. Anonymised page metrics only if you opt into analytics or performance cookies.Global edge network.SCCs where GDPR applies.
StripeCard-payment processing for paid subscriptions.Billing contact and payment metadata. Kovira does not store card numbers.United States (global processing).SCCs where GDPR applies.
ResendTransactional email delivery (confirmations, password resets, notifications you opt into).Recipient address and message content in transit.United States.SCCs where GDPR applies.

Services you connect yourself

Some processing happens only because you choose to enable it. These are not engaged by default.

Microsoft 365

If you connect a Microsoft 365 tenant, Kovira reads Entra ID and Intune data, and any mailboxes you authorise, through Microsoft Graph. The data stays in your Microsoft 365 tenant region and is read under the permissions you grant. Scope is limited to what you connect.

Browser push notifications

If you turn on push notifications, delivery is handled by the push service built into your browser or operating system. Only the notification payload transits that service. You can revoke the permission in your browser at any time.

Where your data lives

Your operational data and uploaded files are stored with Supabase, and each workspace is isolated at the database so another workspace cannot read your records. Depending on the serving region, data may be processed in more than one country. Where personal information is disclosed to a provider outside Australia, we treat it as a cross-border disclosure under Australian Privacy Principle 8 and the New Zealand IPP 12, and we rely on Standard Contractual Clauses for transfers governed by the GDPR. The full detail is in the privacy policy, and how isolation is enforced is on the security page.

Changes to this list

If we add or change a sub-processor that handles personal information, we update this page and its last-reviewed date. Material changes are notified to account holders by email before they take effect. Questions: privacy@kovira.app.

Last reviewed July 2026.