How POVA handles your data
POVA analyzes exported data snapshots in isolated environments without live production access or third-party AI in the analysis path. The same handling applies across all five reviews: Operational & Financial, Process & Efficiency, Cyber, Data Access, and Document & Data Conformance. Deliverables are self-contained offline files.
Exported snapshots
POVA reads files supplied for analysis. It does not require production credentials, live database access, or continuous monitoring hooks.
No third-party AI path
Customer data is not sent to external model providers during analysis, and customer data is not used to train models.
Offline deliverables
Reports, local finding trees, and optional evidence archives are designed to work without network calls or remote dependencies.
Independently certified management systems
POVA AI Ltd is certified to the standards below. Certificates and scope statements are available on request.
Information security
Certified information security management system governing how information is protected across the organization.
Business continuity
Certified business continuity management system for maintaining and recovering operations through disruption.
AI management
Certified AI management system covering the responsible development and operation of POVA's AI systems.
Analysis runs without internet connectivity
POVA processes exported data locally. The customer may optionally enable a local network for file transfer in and out, but analysis does not depend on it. There are no calls to external APIs, cloud services, or third-party endpoints during processing.
Static input only
POVA reads exported snapshots. It does not connect to live databases, streaming sources, or production APIs. Data is frozen at the point of export.
No outbound traffic during analysis
No telemetry, no error reporting, no usage metrics, no background sync. The analysis engine does not initiate any network connections. If a local network is enabled for file transfer, it is a customer-controlled option separate from the analysis path.
Three data categories, three handling rules
The exact control set for a given engagement is defined in the engagement documents, including transfer method, operator model, encryption, signing, evidence archive contents, and cleanup process.
| Category | What it includes | Where it exists | Retention |
|---|---|---|---|
| Source data | CSV, Excel, JSON, database dumps, and other structured exports supplied for analysis. | Processed within the agreed analysis environment and not sent to third-party services. | Removed from POVA-controlled environments after delivery. Customer-managed cleanup follows the documented customer procedure. |
| Deliverables | Static HTML report, local finding tree, optional evidence archive, reviewer materials. | Delivered to the customer as self-contained offline files. | Owned by the customer. POVA does not retain a copy after delivery unless agreed otherwise. |
| Audit metadata | Hashes, execution timestamps, software version, scope manifest, coverage notes. | Embedded in deliverables where applicable. | Lives with the deliverables retained by the customer. |
Deterministic findings with traceable logic
POVA uses deterministic machine learning, statistical methods, and rule-based logic. The same input and configuration are designed to produce the same result. Each finding maps to source data, rules, thresholds, or scoring context.
Source rows → rationale → review actionDecision support, not final judgment
Limitations disclosed
Missing fields, incomplete schemas, excluded scope, and partial coverage are reported rather than hidden.
Thresholds visible
Where thresholds, rules, or detector logic are relevant to a finding, they are included in the report or technical trace.
Human review expected
POVA surfaces patterns and evidence. Business judgment, escalation decisions, and remediation remain with qualified reviewers.
POVA is an audit and investigation support system. It reduces exposure and improves reviewability, but it does not guarantee detection of every issue or compliance with any specific law, framework, or reporting standard.
Who runs the scan is agreed before processing begins
POVA supports multiple operation modes. The operator model is agreed before the engagement and recorded in the deliverable. Some controls depend on deployment model and operator mode. Customer-managed infrastructure, local backup behavior, and cleanup execution remain under customer control unless otherwise agreed.
POVA specialist
A named POVA operator conducts the scan under documented procedures. Run initiator, operator role, execution time, scope manifest, and configuration are recorded in the deliverable — giving separation of duties between the audited organization and the scan operator.
Trained and approved third party
An external operator runs the scan under documented procedures. Suitable when the customer requires independent operation without direct POVA involvement.
Customer-designated operator
A customer-chosen employee or contractor operates the system after receiving training and authorization. The customer retains full control over who has access.
Automated / scheduled
POVA can run on a schedule against new snapshot files placed in a designated local input location. It does not require direct access to live production systems. Suitable for recurring scans with stable data sources and agreed configuration.
Specialized analytical recipes, white-label deployments, or customer-specific workflows may change the operator model, deliverable composition, or applied controls. Any deviations from the baseline are agreed and documented before processing begins. Where agreed for the engagement, deliverables can include a signed manifest containing file hashes, execution metadata, and scope information. The customer holds this record.
Hardened Linux, container isolation, post-delivery wipe
POVA's analysis engine runs on a hardened Linux OS inside isolated Docker containers, stripped to the minimum required for processing. The operator interacts through a secured control interface. On POVA-managed hardware, the runtime is wiped after report delivery.
Container isolation
Each analysis runs in its own container with no shared state and no persistent volumes beyond the scan. The analysis engine and the operator interface are separated.
Post-delivery cleanup
On POVA-managed hardware, source data and the runtime environment are wiped after deliverables are provided. On customer-managed hardware, the cleanup procedure is documented and the customer is responsible for execution.
Self-contained offline deliverables with no network behavior
POVA deliverables have no external references, no callback mechanisms, and no network dependency. Some deliverables may include local scripts for offline navigation, but they do not make remote requests.
Static HTML report
Summary report viewable in any browser. No scripts that reach external servers. No embedded tracking. Opens and works entirely offline.
Explorable finding tree
A local HTML structure with deeper findings, evidence links, and drill-down navigation. May include local scripts for offline filtering. Does not load remote resources or make network requests.
Evidence archive (optional)
Analysis artifacts, manifests, and reviewer materials in a compressed archive. Inclusion of raw source data or source excerpts is customer-controlled and explicitly defined in scope.
Although deliverables contain no network behavior, they may contain sensitive business information and should be stored and shared under the customer's normal data-classification controls. Where agreed for the engagement, deliverables can be encrypted and access-restricted; key management and authentication method are defined per engagement.
POVA Scan and POVA BOX
The same analysis engine can run across agreed software or appliance models. POVA BOX adds a dedicated hardware appliance option for physically controlled environments.
On-premise software
- Offline analysis from exported data
- Multiple operator modes
- Hardened Linux / Docker runtime
- Static deliverables, no integrations
- Audit metadata embedded in deliverables
- Source data removed from POVA-controlled environments after delivery
Dedicated hardware appliance
- Everything in POVA Scan, plus:
- Tamper-evident, tamper-resistant enclosure
- Tamper-detection sensors
- Network interfaces disabled by default; optional local WPA3 transfer when chosen
- Built-in secure terminal for report viewing
- Full disk encryption (AES-256) at rest
- Signed firmware updates via USB
- Full environment wipe after each scan cycle
Available on request
The following materials are available to qualified prospects and customers. Some items are available under NDA.
Security overview document
Detailed architecture and data-handling description beyond this summary page.
Sample data manifest
Example of the audit metadata and scope coverage report included in every deliverable.
Deletion procedure
Step-by-step documentation of how source data is handled and removed after delivery.
Update model
How software and firmware updates are delivered in offline environments.
Security questionnaire
Pre-filled responses to standard vendor security questionnaires (SIG, CAIQ, or custom).
Operator qualification requirements
Training and authorization criteria for third-party and customer-designated operators, including programs administered through POVA Academy.
Engagement control matrix
Shows which controls are baseline and which are engagement-defined, including operator model, signing, encryption, deliverable composition, white-label configuration, and partner or customer operation.
Security questions, documentation requests, and engagement-specific security reviews are handled directly by POVA leadership through scheduled consultation. Book a call to request a review. Detailed materials are shared selectively and, where appropriate, under NDA. POVA AI Ltd is certified to ISO/IEC 27001 (information security), ISO 22301 (business continuity), and ISO/IEC 42001 (AI management); certificates and scope statements are available on request. POVA does not currently provide a SOC 2 report. If that is a procurement requirement, we are happy to discuss our roadmap and provide the documentation listed above.