Trust Center

Security and Trust

Prova is used in regulated industries to produce auditable records of AI reasoning. We take security and data privacy seriously.

SOC 2 Type II

In progress

Prova is currently undergoing SOC 2 Type II certification. Contact us for our current security posture documentation and timeline.

Security

Encryption in transit

All traffic is TLS 1.2+. API endpoints enforce HTTPS.

Encryption at rest

Supabase encrypts data at rest using AES-256.

Authentication

Supabase Auth with email/OAuth. API keys are stored as SHA-256 hashes only -- the raw key is never retrievable.

Access control

Row-level security on all tables. Service role key is server-side only, never exposed to the browser.

Secret management

Environment variables managed via Vercel and Render. No secrets in source code or version control.

Vulnerability disclosure

Report issues to security@cobound.dev. See security.txt.

Data Practices

What we store

Certificates (verdict, argument graph, confidence score, SHA-256 hash) are stored permanently. Reasoning text is stored alongside the certificate by default.

retain=false

When retain=false is set in an API request, the reasoning text is processed in memory and never written to disk. Certificate metadata is always stored for the certificate to remain valid.

Certificates are permanent

Certificates are never deleted. This is by design -- a certificate is a timestamped formal record. Invalidating it retroactively would undermine the auditing use case.

EU data residency

Available on Enterprise plans. All data (reasoning and certificates) stored in Supabase EU region, ensuring no data leaves the EEA. Contact us for details.

Documents

Data Processing Agreement (DPA)→Subprocessor List→Privacy Policy→security.txt→

Questions about security or compliance?

Our team responds to enterprise security reviews within one business day.

book a demo →email us →