Trust Center
Security and Trust
Prova is used in regulated industries to produce auditable records of AI reasoning. Prova takes security and data privacy seriously.
SOC 2
Type 1 plannedWe have not started a SOC 2 audit yet. We plan to begin SOC 2 Type 1 readiness when we onboard our first design partner. Our security documentation (this questionnaire, the DPA, and the subprocessor list) is available now under NDA.
See the controls we operate today, mapped to the Trust Services Criteria→Security
Encryption in transit
All traffic is TLS 1.2+. API endpoints enforce HTTPS.
Encryption at rest
Supabase encrypts data at rest using AES-256.
Authentication
Supabase Auth with email/OAuth. API keys are stored as SHA-256 hashes only. The raw key is never retrievable.
Access control
Row-level security on all tables. Service role key is server-side only, never exposed to the browser.
Secret management
Environment variables managed via Vercel and Render. No secrets in source code or version control.
Vulnerability disclosure
Report issues to security@cobound.dev. See security.txt.
Data Practices
What we store
Each AI decision is a signed receipt (an AIDecisionEvent): its kind, source, the payload you send, any policy verdicts and detector findings, and the Ed25519 signature over all of it. You can verify any receipt yourself, offline, against the published public key; the in-browser verifier is at /proof. The signed receipt is the audit trail, so the payload is stored; send only what you need recorded. Only a hash of your API key is kept, never the raw key.
Self-hosted and air-gapped
For full data control, the self-hosted bundle (docker-compose and Helm) keeps every receipt inside your own perimeter, with nothing sent to Prova. Air-gapped deployments are supported.
EU data residency
Available on Enterprise plans: all data stored in the Supabase EU region so nothing leaves the EEA. Self-hosted deployments give you residency control by default.
Retention and deletion
Receipts are retained as your audit trail while your account is active. Account data is deleted within 30 days of account closure, and you can request deletion of your receipts at any time.
Legacy verifier
The original reasoning-chain verifier is a separate path: it stores a certificate plus a fingerprint of the input and accepts a retain flag, so reasoning text is not persisted unless you opt in. See /docs/privacy.
Documents
Questions about security or compliance?
I respond to enterprise security reviews within one business day.