Security
Built to hold up under review.
Governance evidence is only as credible as the system producing it. Every architectural decision assumes your data will be reviewed by someone looking for problems.
Operational data protection.
Simulations involve operational procedures and response workflows. Povenos isolates each tenant environment and protects all simulation records, policy documents, and execution logs with strict access controls.
Session data is stored separately from live systems and used only to evaluate outcomes. No data is shared between tenants or used to train models.
Data protection
Encryption at rest
AES-256 for all stored data including policy graphs, simulation records, and evidence packages.
Encryption in transit
TLS 1.2 minimum on all connections. TLS 1.3 enforced where supported.
Tenant isolation
Hard data-layer isolation. No shared state between tenants. Cross-tenant access is not a configuration option.
Key management
Encryption keys managed via AWS KMS. Tenant-scoped key policies. No shared key material.
Access and identity
Role-based access control
Permissions enforced server-side on every request. No client-side trust. Roles: participant, observer, administrator.
SSO support
OIDC for enterprise identity providers including Google Workspace and Microsoft Entra ID. Available on Enterprise plans.
Session management
Short-lived tokens with server-side revocation. Idle sessions expire automatically.
Infrastructure
Cloud provider
AWS us-east-1. Multi-AZ deployment. Production and staging environments are fully isolated with no shared resources.
Network perimeter
VPC with private subnets for all compute. Public-facing load balancers only. No direct inbound access to application servers.
Vulnerability management
Container image scanning on every build. Dependency audit in CI pipeline. Critical findings block deployment.
Backup and recovery
Automated daily backups with point-in-time recovery. Backup retention 30 days minimum. Recovery tested quarterly.
Application security
OWASP controls
Security controls aligned to OWASP Top 10. Input validation, output encoding, and parameterized queries enforced throughout the application stack.
Dependency scanning
Automated scanning via Dependabot and Snyk. Critical CVEs addressed within 72 hours of disclosure.
Penetration testing
Annual penetration testing by an independent third party. Results reviewed by engineering leadership. All findings tracked to closure.
Audit logging
Append-only audit trail for all authentication events, policy changes, simulation access, and report generation. Logs are tamper-evident and retained for 12 months.
AI and data governance
No training on customer data
Customer policy data, interview transcripts, and simulation records are never used for model training. Enforced by contract and by architecture.
Inference isolation
AI inference is performed in isolated compute. No cross-tenant prompt exposure. Session context is scoped and cleared after each interaction.
Data residency
All inference and storage within the United States by default. International data residency available on Enterprise plans.
Human approval required
All AI-generated policy content is reviewed and approved by the authorized user before finalization. No autonomous policy changes.
Compliance and evidence
SOC 2 Type II
SOC 2 Type II in preparation. Security, availability, and confidentiality trust service criteria. Current controls documentation available to Enterprise customers under NDA.
Framework alignment
Evidence packages structured to map to HIPAA, ISO 27001, NIST CSF, and SOC 2 control requirements. We generate the record. You own it.
Data retention and deletion
Configurable retention periods per organization. Deletion on request with written confirmation. Proof of deletion provided within 30 days.
Breach notification
Confirmed security incidents affecting customer data reported within 72 hours. Named security contact provided for Enterprise customers.
Technical foundations.
Scoring and evidence generation are deterministic, not LLM-based. Policy rules are compiled into structured evaluation logic. Execution records are protected by hash-chain integrity verification.
The platform is API-first with documented REST endpoints, webhook support, and standard evidence export formats. SSO via OIDC is supported for enterprise identity providers.
Deterministic scoring
Scores are computed from structured policy rules and timestamped execution records. No probabilistic inference in the scoring pipeline.
Compiled policy rules
Policies are compiled into evaluation logic before simulation. Rule changes produce a new compiled version with full version history.
Hash-chain integrity
Execution records are linked by cryptographic hash chains. Any tampering with intermediate records is detectable.
API-first architecture
REST API with webhook support. Evidence packages export in structured formats for integration with GRC and compliance tooling.
Every action is on the record.
Simulation runs, policy changes, report access, and approvals generate an append-only audit trail. The record is tamper-evident and reviewable from first event to last.
When a regulator, auditor, or legal team asks what happened during a simulation, you show exactly that. Not a summary, but a complete, timestamped record.
Policy finalization events are versioned and immutable. Changing a finalized policy creates a new draft. The original finalized record is preserved indefinitely.
Responsible disclosure.
Report security vulnerabilities to security@povenos.io. We acknowledge reports within 24 hours and provide a resolution timeline within 72 hours.
We do not take legal action against good-faith researchers who report vulnerabilities responsibly and allow reasonable time for resolution.
Security overview document.
Your security team will have questions. Good.
We walk enterprise security teams through data handling, access controls, tenant isolation, and AI governance in detail. We answer hard questions and don't dodge what matters.