KOVATRON
Security & Trust
Last updated: June 2026
Kovatron connects to your marketing platforms and acts on your behalf, so trust is the product. This page explains, in plain terms, how we protect your data and — just as important — the limits we put on what the AI agents can do without you.
🔒 Encrypted at rest & in transit
✋ Agents never auto-spend or auto-publish
🧠 Your data never trains AI models
🗑️ Delete everything anytime
Agent guardrails — what the AI can & can't do
This is the part most "AI marketing" tools don't talk about. Kovatron is designed so the agents recommend and draft, while you decide and approve.
- Never spends ad money. When an agent builds a Meta or LinkedIn ad campaign, it is created PAUSED / as a draft in your ad account and we hand you the Ads Manager link to review and activate. Kovatron never launches a campaign or spends a cent on its own.
- Never publishes without your say-so. The agents post to Facebook, Instagram, or LinkedIn only when you explicitly tell them to. When an agent proposes content on its own, it goes to your Approval Queue to approve, edit, decline, or schedule — nothing goes live unreviewed.
- Draft-and-approve everywhere it counts. Email campaigns (Mailchimp/HubSpot) and blog posts (WordPress) are created as drafts for you to review and send/publish yourself — never sent or published automatically.
- Read-mostly by default. Most connected platforms are used read-only to inform advice. Any write action is scoped, logged, and surfaced to you.
How your data is protected
- Encryption at rest. Your connected-platform access tokens and any API keys are encrypted with AES-256-GCM (authenticated encryption) before they touch our database — they are never stored in plaintext.
- Encryption in transit. All traffic is served over TLS/HTTPS with HSTS enforced.
- Passwords. Hashed with bcrypt — we can never see or recover your password.
- Two-factor authentication. Every login is verified with an emailed one-time code on new devices; administrator accounts additionally use authenticator-app (TOTP) 2FA.
- Payments. Billing runs through Stripe's hosted checkout — your card details go straight to Stripe and never touch Kovatron's servers.
AI & your data
Your conversations and business data are never used to train AI models.
Kovatron runs on Anthropic's Claude API, whose commercial terms prohibit training on data sent through it. We don't train models on your data either — it's used only to answer your prompts and power the features you ask for.
- Your data is used only to provide the service to you — we never sell it or share it for advertising.
- Live platform data is fetched at request time to inform an answer; we cache it briefly for performance, scoped to your account.
- You can delete your conversations and your account — and everything in it — at any time (see "Your controls" below).
Application & infrastructure security
- Tenant isolation. Every request is authenticated and scoped to your account; connected-platform tokens are bound to their owner so one account can never read or act on another's data.
- Request-forgery (SSRF) protection. Any URL the product fetches on your behalf is validated against a rebinding-proof guard that blocks internal/metadata endpoints.
- Output sanitization. Anything rendered in the app is escaped/sanitized to prevent script injection.
- Abuse controls. Authentication, password-reset, and API endpoints are rate-limited; sensitive tokens are signed and short-lived.
- Ongoing review. We run an automated test suite on every change and conduct recurring internal security reviews and red-team assessments, remediating findings before they reach production.
- Hosting & data residency. Application hosting on Vercel; database and file storage on Supabase in the United States (US-East).
Your controls
- Export your data on request.
- Delete your account and all associated data instantly from Settings → Privacy.
- Disconnect any platform integration at any time — its stored token is removed.
- See our Data Deletion page for the step-by-step.
Subprocessors
We use a small set of trusted infrastructure providers to deliver Kovatron. Each processes data only as needed to provide its service.
| Provider | Purpose | Region |
|---|
| Anthropic | AI model (Claude) that powers agent responses | USA |
| Supabase | Database & encrypted file storage | USA |
| Vercel | Application hosting & edge delivery | USA / Global |
| Stripe | Subscription billing & payment processing | USA / Global |
| Resend | Transactional & notification email | USA |
| Perplexity | Live web search & AI-visibility (GEO) checks — only when those features run | USA |
| Replicate | AI image generation — only when you generate an image | USA |
| Pexels | Stock-photo search — only when you search stock | USA |
Marketing platforms you connect yourself (Google, Meta, LinkedIn, Mailchimp, HubSpot, Klaviyo, Shopify, WooCommerce, Magento, WordPress, YouTube) are not subprocessors — Kovatron exchanges data with them only at your direction, using the access you grant.
Data processing & DPA
For business customers, our Data Processing Addendum sets out how Kovatron processes personal data on your behalf as a processor, including security measures, subprocessors, and international-transfer terms. A signed copy is available on request — email hello@kovatron.com.
Reporting a vulnerability
If you believe you've found a security issue, please email hello@kovatron.com with the details and steps to reproduce. We investigate every report, won't pursue good-faith researchers who follow responsible disclosure, and will keep you updated on the fix.
Contact
Security or privacy questions:
hello@kovatron.com
www.kovatron.com