What It Does How It Works About Security
Book a Call

Security Summary

How POVA Handles Your Data

POVA's baseline model analyzes exported data snapshots in isolated environments without live production access or third-party AI in the analysis path. Deliverables are self-contained offline files. POVA does not retain source data, deliverables, or scan metadata after delivery. Ordinary business records associated with the engagement are retained separately.

Scope. This page describes the security properties of the POVA analysis runtime used during customer engagements. The public website (pova.ai) and scheduling tools are separate systems with their own infrastructure.

This page describes POVA's baseline secure operating model and the control options commonly available. The exact control set for a given engagement — including operator model, transfer method, deliverable format, signing, encryption, evidence archive contents, white-label configuration, and specialized analytical workflows — is defined in the engagement documents.

Last updated: April 12, 2026

01

Data Lifecycle

Three categories of data exist during a POVA engagement. Each has a different handling rule.

Category What it includes Where it exists Retention
Source data Customer-exported files: CSV, Excel, JSON, database dumps, and other structured exports provided for analysis Processed within the analysis environment and not sent to third-party services. In POVA-managed deployments, POVA does not create external backups of source data. Removed from POVA-controlled environments after delivery. In customer-managed deployments, cleanup follows the documented customer-executed procedure.
Deliverables Static HTML report, explorable local HTML finding tree, optional evidence archive containing analysis artifacts and reviewer materials agreed for the engagement Delivered to the customer. Self-contained offline files with no external references, no callback mechanisms, and no network dependency. Some deliverables may include local scripts for offline navigation. Owned by the customer. POVA does not retain a copy after delivery.
Audit metadata Data fingerprints (hashes), execution timestamps, software version, configuration, scope manifest, operator identity, coverage notes Embedded within the deliverables themselves. Lives with the deliverables. POVA does not retain a separate copy after delivery. Future review, re-validation, or evidentiary preservation depends on the customer retaining the deliverables and manifest.

POVA does not retain customer source data, deliverables, or scan metadata after delivery. Standard business records associated with the engagement — including agreements, invoices, payment records, and business communications related to scan needs — may be retained in the ordinary course.

02

Network Isolation

No internet connectivity is required during analysis. POVA processes exported data locally. The customer may optionally enable a local network connection for file transfer in and out, but analysis does not depend on it. There are no calls to external APIs, cloud services, or third-party endpoints during processing.

Static input only
POVA reads exported snapshots. It does not connect to live databases, streaming sources, or production APIs. Data is frozen at the point of export.
No outbound traffic during analysis
No telemetry, no error reporting, no usage metrics, no background sync. The analysis engine does not initiate any network connections. If a local network is enabled for file transfer, it is a customer-controlled option separate from the analysis path.
03

Reproducible Analysis

POVA uses deterministic machine learning, statistical methods, and rule-based logic. The same input and configuration produce the same result. Each finding maps to source data, rules, or thresholds. No generative AI, no third-party models, no opaque neural networks in the analysis pipeline.

Per-finding rationale
Every anomaly, risk score, and finding links to specific data points and the logic that produced it. Auditors and stakeholders can trace exactly how a conclusion was reached.
No third-party AI in the analysis path
POVA does not call external AI models during analysis. No data is sent to model providers. No prompt injection surface. Customer data is not used to train, fine-tune, or evaluate any model.
04

Analytical Safeguards

POVA's output is decision support, not final judgment. The system is designed to surface what it found, disclose what it could not analyze, and make the basis for every finding inspectable.

Limitations disclosed
Missing data, incomplete schemas, and excluded scope are reported explicitly. The deliverable states what was analyzed and what was not. Partial coverage is never presented as complete analysis.
Thresholds and rules visible
The configuration and logic behind findings are documented in the deliverable. Reviewers can inspect what triggered a finding and whether the threshold is appropriate for their context.
Human review expected
Findings are intended for review by qualified people who understand the business context. POVA surfaces patterns and anomalies. The decision about what to act on remains with the customer.

POVA is an audit and investigation support system. It reduces exposure and improves reviewability, but it does not guarantee detection of every issue or compliance with any specific law, framework, or reporting standard.

05

Operator Model

POVA supports multiple operation modes depending on the engagement. The scan can be run by a POVA specialist, a trained and approved third party, a customer-designated operator, or on an automated schedule, or a combination of these. The operator model is agreed before the engagement begins. Some controls depend on deployment model and operator mode. Customer-managed infrastructure, local backup behavior, and cleanup execution remain under customer control unless otherwise agreed.

POVA specialist
A named POVA operator conducts the scan under documented procedures. This provides separation of duties between the audited organization and the scan operator. Run initiator, operator role, execution time, scope manifest, and configuration are recorded in the deliverable.
Trained and approved third party
A trained and approved external operator runs the scan. Suitable when the customer requires independent operation without direct POVA involvement.
Customer-designated operator
A customer-chosen employee or contractor operates the system after receiving training and authorization. The customer retains full control over who has access.
Automated / scheduled
POVA can run on a schedule against new snapshot files placed in a designated local input location. It does not require direct access to live production systems. Suitable for recurring scans with stable data sources and agreed configuration.

Specialized analytical recipes, white-label deployments, or customer-specific workflows may change the operator model, deliverable composition, or applied controls. Any deviations from the baseline model are agreed and documented before processing begins. In all modes, run initiator, operator role, execution time, scope manifest, and configuration are recorded in the deliverable's audit metadata. Where agreed for the engagement, deliverables can include a signed manifest containing file hashes, execution metadata, and scope information. The customer holds this record.

06

Runtime Environment

POVA's analysis engine runs on a hardened Linux OS inside isolated Docker containers, stripped to the minimum required for processing. The operator interacts through a secured control interface. On POVA-managed hardware, the runtime is wiped after report delivery.

Container isolation
Each analysis runs in its own container with no shared state and no persistent volumes beyond the scan. The analysis engine and the operator interface are separated.
Post-delivery cleanup
On POVA-managed hardware, source data and the runtime environment are wiped after deliverables are provided. On customer-managed hardware, the cleanup procedure is documented and the customer is responsible for execution.

Deliverables

What Leaves the Environment

POVA deliverables are self-contained offline files with no external references, no callback mechanisms, and no network dependency. Some deliverables may include local scripts for offline navigation, but they do not make remote requests.

Static HTML report
Summary report viewable in any browser. No scripts that reach external servers. No embedded tracking. Opens and works entirely offline.
Explorable finding tree
A local HTML structure with deeper findings, evidence links, and drill-down navigation. May include local scripts for offline filtering and drill-down. Does not load remote resources or make network requests.
Evidence archive (optional)
Analysis artifacts, manifests, and reviewer materials in a compressed archive. Inclusion of raw source data or source excerpts is customer-controlled and explicitly defined in scope.

Although deliverables contain no network behavior, they may contain sensitive business information and should be stored and shared under the customer's normal data-classification controls. Deliverable composition is defined per engagement and may vary for white-label workflows, specialized analytical recipes, or customer review requirements. Where agreed for the engagement, deliverables can be encrypted and access-restricted. Key management and authentication method are defined per engagement.

Deployment Options

POVA Scan vs POVA BOX

The same analysis engine runs across both deployment models. POVA BOX adds physical hardening.

POVA Scan
On-Premise Software
POVA's analysis engine deployed on client infrastructure or a POVA-managed workstation.
  • Offline analysis from exported data
  • Multiple operator modes
  • Hardened Linux / Docker runtime
  • Static deliverables, no integrations
  • Audit metadata embedded in deliverables
  • Source data removed from POVA-controlled environments after delivery
POVA BOX
Dedicated Hardware Appliance
All POVA Scan properties, plus physical hardening. Available in three form factors: Mini, Pro, and Vault.
  • Everything in POVA Scan, plus:
  • Tamper-evident, tamper-resistant enclosure
  • Tamper-detection sensors
  • Network interfaces disabled by default; optional local WPA3 transfer when customer chooses that workflow
  • Built-in secure terminal for report viewing
  • Full disk encryption (AES-256) at rest
  • Signed firmware updates via USB
  • Full environment wipe after each scan cycle

Documentation

Available on Request

The following materials are available to qualified prospects and customers. Some items are available under NDA.

Security overview document
Detailed architecture and data handling description beyond this summary page.
Sample data manifest
Example of the audit metadata and scope coverage report included in every deliverable.
Deletion procedure
Step-by-step documentation of how source data is handled and removed after delivery.
Update model
How software and firmware updates are delivered in offline environments.
Security questionnaire
Pre-filled responses to standard vendor security questionnaires (SIG, CAIQ, or custom).
Operator qualification requirements
Training and authorization criteria for third-party and customer-designated operators, including programs administered through POVA Academy.
Engagement control matrix
Shows which controls are baseline and which are engagement-defined, including operator model, signing, encryption, deliverable composition, white-label configuration, and partner or customer operation.
Security Review Requests
Security questions, documentation requests, and engagement-specific security reviews are handled directly by POVA leadership through scheduled consultation. Book a call to request a review. Detailed materials are shared selectively and, where appropriate, under NDA. This route is used for prospects, customers, audit firms, investigation bodies, and board-approved consultants.

POVA AI Ltd does not currently hold ISO/IEC 27001 certification and does not currently provide a SOC 2 report. If this is a procurement requirement, we are happy to discuss our roadmap and provide the documentation listed above.