Security

How we protect
your data.

KORVA Sentinel holds sensitive compliance evidence for water utilities. We take that seriously. This page describes exactly what we do to protect it — honestly, without overstating what we have.

EffectiveMay 2026
Last ReviewedMay 2026
Contactinfo@korvasystems.com

Our security posture, plainly stated: Sentinel is built on enterprise-grade infrastructure (Supabase on AWS, Anthropic API). Data is encrypted in transit and at rest. We don't sell customer data. We don't use customer compliance data to train AI models. We're a small, focused team — we know exactly what data we hold and who can access it. SOC 2 Type 2 certification is on our roadmap as we scale.

01 Data Encryption

All data transmitted between your browser and KORVA Sentinel is encrypted using TLS 1.2 or higher. We do not serve any content over unencrypted HTTP.

All data stored in the Sentinel database is encrypted at rest using AES-256, managed by Supabase on AWS infrastructure. This includes your utility profile, compliance evidence, intake responses, AXIOM advisor conversations, and all remediation records.

Payment data

KORVA Sentinel does not store payment card numbers, bank account details, or any payment credentials. All payment processing is handled by Square, which is PCI DSS Level 1 certified. We receive only a transaction confirmation and the associated email address.

02 Access Controls

Access to Sentinel customer data is controlled at multiple levels:

Row-level security (RLS)

Supabase Row Level Security policies ensure that each authenticated user can only read and write records belonging to their own utility account. No customer can access another customer's data at the database layer — not through misconfigured queries, not through the API.

Authentication

User authentication is handled by Supabase Auth, which uses JWT tokens with short expiry windows. Passwords are hashed using bcrypt. Session tokens are invalidated on logout and expire automatically after inactivity.

Internal access

KORVA Systems staff access to production customer data is limited to the minimum necessary for support and operations. All internal access is logged. We do not access customer compliance data or AXIOM conversations for purposes other than support requests you initiate.

Team member roles

Within your Sentinel account, you control access via role-based permissions — Admin, Editor, and Viewer. Each role is enforced at the API and database layer, not just the interface.

03 Infrastructure

KORVA Sentinel runs on the following infrastructure stack:

  • Database and backend: Supabase, hosted on AWS (us-east-1). Supabase maintains SOC 2 Type 2 certification and ISO 27001 compliance.
  • Frontend hosting: Static HTML served via your file system or CDN of your choice during the current deployment phase. We will publish hosting infrastructure details as we move to managed hosting.
  • AI advisor: Anthropic API, accessed server-side. No customer data is sent to Anthropic without a direct user-initiated AXIOM conversation.
  • Payments: Square. PCI DSS Level 1 certified. KORVA Sentinel never touches card data.

AWS data residency: All Supabase-hosted data resides in AWS us-east-1 (Northern Virginia). Data does not leave U.S. jurisdiction.

04 AI & Data Handling

The AXIOM compliance advisor is powered by Anthropic's Claude API. This section describes exactly how your data interacts with that system — because we know this matters to utilities managing sensitive operational information.

What gets sent to Anthropic

When you ask AXIOM a question, your message and relevant context from your utility profile (system type, population tier, applicable state mandates) are sent to the Anthropic API to generate a response. Specific compliance evidence, remediation records, asset inventories, and documents you've uploaded are not sent to the Anthropic API unless you explicitly paste that content into a conversation message.

Anthropic's data use

KORVA Sentinel accesses the Anthropic API under terms that prohibit Anthropic from using your conversation data to train or improve their AI models. Your AXIOM conversations are not used for model training. Anthropic's full data use policy is available at anthropic.com/legal/privacy.

What we recommend you do NOT paste into AXIOM

AXIOM is designed for regulatory questions, compliance planning, and policy generation — not for ingesting your raw operational data. We recommend you do not paste:

  • SCADA credentials, API keys, or passwords
  • Network diagrams containing IP addresses
  • Employee PII beyond job titles and roles
  • Financial account numbers or rate schedules

AXIOM generates better answers from the regulatory question, not from raw operational data. Ask it what AWIA requires — not what your specific SCADA configuration looks like.

05 Sub-Processors

KORVA Sentinel uses the following sub-processors to deliver the service. Each has been evaluated for security posture and contractual data protections.

ProcessorPurposeData SharedCertifications
Supabase (AWS) Database, authentication, storage All customer account and compliance data SOC 2 Type 2 · ISO 27001
Anthropic AXIOM AI advisor User-initiated conversation messages and utility profile context No AI training on API data
Square Payment processing Name, email, transaction amount PCI DSS Level 1
Google Fonts Typography (Outfit, Manrope, JetBrains Mono) IP address (browser request only, no account data) GDPR compliant

We do not use advertising networks, analytics SDKs, session recording tools, or any third-party trackers on Sentinel. No customer behavioral data is sold or shared with marketing platforms.

06 Incident Response

In the event of a confirmed security incident affecting customer data, KORVA Systems will:

  • Contain the incident and assess scope within 24 hours of confirmation
  • Notify affected customers via email within 72 hours of confirming a breach that affects their data
  • Provide a plain-English description of what happened, what data was affected, what we've done, and what you should do
  • File required regulatory notifications on our own behalf — we will not make notifications on behalf of your utility, but we will provide the information you need to make your own

For water utilities: A breach of your KORVA Sentinel account does not necessarily trigger your AWIA or CIRCIA incident reporting obligations — those apply to cyber incidents affecting your OT or drinking water system. However, if an incident at KORVA affected your compliance evidence repository, we will communicate that clearly so you can make an informed determination. We will never obscure or delay that communication.

To report a security concern, email info@korvasystems.com with "Security Incident Report" in the subject line.

07 Vulnerability Disclosure

If you discover a security vulnerability in KORVA Sentinel, we ask that you report it to us before disclosing it publicly. We commit to:

  • Acknowledging your report within 2 business days
  • Keeping you informed of our investigation and remediation progress
  • Not pursuing legal action against researchers who report in good faith
  • Crediting researchers who responsibly disclose (if they wish to be credited)

How to report

Email info@korvasystems.com with subject line "Vulnerability Disclosure." Include a description of the issue, steps to reproduce, potential impact, and any proof-of-concept you've developed. Please do not include live exploit code that could cause harm if intercepted.

Scope

In scope: korva-sentinel.com web application, Sentinel app endpoints, authentication flows, data access controls. Out of scope: social engineering, physical attacks, denial of service, issues in third-party sub-processors (report those to the sub-processor directly).

08 Data Retention & Deletion

Active accounts

We retain your utility profile, compliance evidence, AXIOM conversations, and intake responses for the duration of your active subscription plus 90 days after cancellation. This 90-day window allows you to re-subscribe and recover your data, or export it before permanent deletion.

AWIA record retention

AWIA §2013 requires utilities to retain RRA and ERP records for the duration of the assessment period. We retain your certification artifacts for a minimum of 5 years from the date of generation, regardless of subscription status. You can request deletion of these records at any time — but we will note that doing so may affect your ability to demonstrate compliance history in a future audit or enforcement action.

Deletion requests

To request deletion of your account and all associated data, email info@korvasystems.com with "Data Deletion Request" in the subject. We will confirm deletion within 30 days. Certain records may be retained where legally required.

Payment records

Transaction records (date, amount, product purchased) are retained for 7 years for tax and accounting purposes. Card data is held by Square and subject to their retention policies.

09 Employee & Internal Access

As a small founding team, we are deliberate about who touches production systems and customer data.

  • Production database access is limited to engineering personnel with an active business need
  • All production access is authenticated and logged in Supabase audit logs
  • We do not access customer AXIOM conversations, compliance records, or uploaded documents for any purpose other than responding to a support request you explicitly submit
  • No contractor or third party is granted standing access to customer data
  • Access permissions are reviewed and trimmed on a quarterly basis

Bottom line: No KORVA employee reads your compliance evidence, your RRA drafts, or your AXIOM conversations unless you ask us to — and even then, access is logged and scoped to the specific support request.

10 Certifications & Audit Status

Current security certification status for KORVA Systems and KORVA Sentinel:

Supabase SOC 2 Type 2
Our database infrastructure provider. Their certification covers the systems where your data lives.
Active
Square PCI DSS Level 1
Our payment processor. Covers all card data handling — KORVA Sentinel never touches card data directly.
Active
KORVA Systems SOC 2 Type 2
First-party audit of KORVA Systems' own security controls. Audit readiness preparation in progress.
On Roadmap
Annual penetration test
Third-party application and infrastructure penetration testing. Scheduled to begin 2027.
On Roadmap

We will update this page as certifications are earned. We will not list a certification we don't hold.

11 Security Contact

For all security questions, incident reports, vulnerability disclosures, or data deletion requests:

Email: info@korvasystems.com
Use one of these subject lines so your message is routed correctly:

  • Security Incident Report — active breach or suspected compromise
  • Vulnerability Disclosure — responsible disclosure of a bug or flaw
  • Security Inquiry — general questions about our security posture
  • Data Deletion Request — account and data removal

We respond to all security-related emails within 2 business days. Confirmed incidents are triaged within 24 hours.

← Back to Site Privacy Policy Refund Policy