← Back to Cova

Security

Last updated: March 27, 2026

1. Overview

Cova is a monitoring intelligence platform that connects to your existing DevOps tools to identify coverage gaps and misconfigurations. Security is foundational to how we build and operate the product - your monitoring data, API credentials, and source code are treated with the same care you would expect from any tool in your infrastructure stack.

This page documents our current security practices so you can evaluate Cova with confidence.

2. Data Encryption

At rest

All third-party API keys and tokens are encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256) before being written to the database. Encryption keys are stored separately from encrypted data and are never committed to source control.

In transit

All connections to Cova use HTTPS/TLS. There is no plaintext HTTP endpoint. API calls from Cova to your monitoring tools (Datadog, PagerDuty, etc.) also use HTTPS exclusively.

3. Authentication

Cova supports three authentication methods:

• Email and password - Passwords are hashed with bcrypt (automatic salting, adaptive cost factor). Plaintext passwords are never stored or recoverable. Email verification is required before account activation.
• Google OAuth - Delegates authentication to Google. Cova only receives your email, name, and profile photo. No other Google data is accessed.
• GitHub OAuth - Delegates authentication to GitHub. Cova only receives your email, name, and avatar.

Session management

• Sessions use cryptographically random 256-bit tokens
• Sessions are invalidated on logout
• Authentication endpoints are rate-limited to prevent brute-force attacks
• Email verification codes expire after 10 minutes

4. API Key Storage

When you connect a monitoring tool, your API key is:

1. Validated against the tool's API to confirm it works
2. Encrypted with Fernet and stored in the database
3. Masked in all logs, API responses, and UI displays (only the last 4 characters are shown)
4. Never sent to any third party other than the tool it belongs to
5. Deleted immediately when you disconnect the tool or delete your account

Your frontend never re-sends API keys after the initial connection. All subsequent analysis requests use the encrypted credentials stored server-side.

5. Third-Party AI

Cova uses the Anthropic Claude API for AI-powered analysis, recommendations, and monitor config generation.

What we send to Anthropic

• Monitoring tool configuration metadata (monitor names, queries, thresholds, alert routing)
• Code architecture summaries (file paths, detected services, framework patterns)
• Coverage gap descriptions for generating fix configs

What we never send to Anthropic

• API keys, tokens, or credentials
• Raw source code (only structural summaries)
• Personal information (emails, names, passwords)

Anthropic's data policy

Cova uses the Anthropic API with a zero-retention policy - Anthropic does not store or use API inputs/outputs for training. See Anthropic's privacy policy for details.

6. Infrastructure

Component	Provider	Details
Application hosting	Render	HTTPS-only, SOC 2 Type II compliant infrastructure, US-based
Database	Neon (PostgreSQL)	Encrypted at rest, TLS connections, automated backups
Email delivery	Resend	Used only for verification codes and team invites
Analytics	Google Analytics 4	Anonymous, aggregated usage stats only. No personal identifiers.

7. Source Code Access

When you connect GitHub or GitLab for Repo Scan or PR Guard:

• Repository contents are fetched via API and processed in memory
• We extract structural information (file paths, detected services, framework patterns) - not raw source code
• Source code is not persisted to our database. Only the generated architecture summary and recommendations are stored.
• PR Guard analyzes diffs in memory and discards them after producing results
• You can disconnect your SCM integration at any time, which revokes Cova's access

8. Deploy Monitor (Write Access)

Cova's Deploy Monitor feature can create or update monitors directly in your monitoring tools. This is the only feature that performs write operations against your tools.

• Opt-in only - Deploy is never triggered automatically. You must explicitly click "Deploy" for each monitor.
• Scoped - Write access is limited to creating and updating monitors/synthetic tests. Cova cannot delete monitors, modify dashboards, or change account settings.
• Audited - Every deploy action is logged with the user, tool, monitor name, and whether it was a create or update operation.
• Reversible - All deployed monitors are tagged with generated-by:cova so you can identify and remove them.
• Currently supported - Datadog. More tools coming soon.

9. Data Retention

Data Type	Retention	Deletion
Account data	While account is active	Deleted within 30 days of request
Analysis history	While account is active	Individual analyses can be deleted anytime
API credentials	While tool is connected	Immediate on disconnect or account deletion
Audit logs	Pro: 30 days, Enterprise: 1 year	Automatic expiry, deleted on account deletion
Login logs	12 months	Automatic expiry
Verification codes	10 minutes	Automatic expiry
Source code	Not persisted	Processed in memory and discarded

When you delete your account, all associated data is cascade-deleted across all database tables. This includes sessions, credentials, analyses, scans, feature grants, team memberships, and usage counters.

10. Audit Logging

All write actions in Cova are logged with structured audit entries that include the user, action type, target, and relevant details. Audited actions include:

• Tool connections and disconnections - which tool, when
• Monitor deployments - monitor name, tool, create vs. update, monitor ID
• Config generation - finding title, target tool
• Admin actions - feature grants/revocations, account deletions, impersonation

Audit logs are stored in our database and available to Pro and Enterprise plan users through the Settings page. Pro plans retain 30 days of audit history. Enterprise plans retain 1 year of audit history.

11. Contact