← covant.ai

Security

Partner programs handle sensitive revenue data. Here's exactly how we protect yours.

Encryption in transit

All data is encrypted via TLS 1.2+ between your browser, our servers, and our database. No plaintext communication.

Encryption at rest

Data stored in Convex (AWS us-east-1) is encrypted at rest using AES-256. Backups are also encrypted.

Audit logs

Every deal approval, commission calculation, and payout is logged with a timestamp and actor. Tamper-evident trail for every action.

Authentication

Powered by Clerk — industry-standard auth with bcrypt password hashing, optional MFA, and secure session management.

Backups

Convex provides continuous, automatic backups with point-in-time recovery. We test restores periodically.

Incident response

Security incidents are logged, investigated, and disclosed within 72 hours per GDPR requirements. Email security@covant.ai to report.

Infrastructure

Covant runs on:

  • Vercel — application hosting with global CDN, DDoS protection, and automatic SSL
  • Convex — managed database on AWS us-east-1 with automatic scaling and encrypted storage
  • Clerk — authentication infrastructure used by thousands of production applications
  • Stripe — PCI-DSS Level 1 certified payment processing; we never see raw card data

We use Vercel's production environment with separate production and development deployments. No development data touches production infrastructure.

Access control

Covant enforces data isolation at the application layer:

  • Each organization's data is scoped by their unique organization ID
  • Partners only see data belonging to their own portal account
  • Admin actions (payout approvals, deal approvals) require authenticated dashboard sessions
  • Session tokens are HTTP-only cookies managed by Clerk with configurable expiry

Internal access to production data is limited to engineers who require it for support or debugging. All internal access is logged.

What we don't do

  • We do not sell your data or your partners' data
  • We do not use your data to train AI models
  • We do not log or store payment card details
  • We do not share data with third parties except our listed subprocessors

Compliance

GDPR
Compliant
DPA available
CCPA
Compliant
No data selling
SOC 2
In progress
Target Q4 2026

A Data Processing Agreement (DPA) for GDPR compliance is available at covant.ai/dpa. For enterprise security reviews, email security@covant.ai.

Vulnerability disclosure

If you discover a security vulnerability in Covant, please email security@covant.ai. We ask that you:

  • Give us reasonable time to investigate and fix before public disclosure
  • Not access or modify data you don't own
  • Not perform attacks that degrade service availability

We will acknowledge all reports within 48 hours and keep you updated on our progress.

Questions

Security questions or enterprise security review requests: security@covant.ai

Privacy questions: privacy@covant.ai