POVAAI Book a Scoping Call
Security summary

How POVA handles your data

POVA reduces attack surface rather than managing it: air-gapped analysis from static exported data, no network connectivity, no external API dependencies, and no third-party AI models in the analysis path.

Exported snapshots

POVA reads files supplied for analysis. It does not require production credentials, live database access, or continuous monitoring hooks.

No third-party AI path

Customer data is not sent to external model providers during analysis, and customer data is not used to train models.

Offline deliverables

Reports, local finding trees, and optional evidence archives are designed to work without network calls or remote dependencies.

Certifications

Independently certified management systems

Certificates and scope statements are available on request.

ISO/IEC 27001

Information security

Certified information security management system governing how information is protected across the organization.

ISO 22301

Business continuity

Certified business continuity management system for maintaining and recovering operations through disruption.

ISO/IEC 42001

AI management

Certified AI management system covering the responsible development and operation of POVA’s AI systems.

Network isolation

Analysis runs without internet connectivity

Static input only

POVA reads exported snapshots. It does not connect to live databases, streaming sources, or production APIs. Data is frozen at the point of export.

No outbound traffic during analysis

No telemetry, no error reporting, no usage metrics, no background sync. The analysis engine does not initiate any network connections. If a local network is enabled for file transfer, it is a customer-controlled option separate from the analysis path.

Data lifecycle

Three data categories, three handling rules

The exact control set for a given engagement is defined in the engagement documents, including transfer method, operator model, encryption, signing, evidence archive contents, and cleanup process.

CategoryWhat it includesWhere it existsRetention
Source data CSV, Excel, JSON, database dumps, and other structured exports supplied for analysis. Processed within the agreed analysis environment and not sent to third-party services. Removed from POVA-controlled environments after delivery. Customer-managed cleanup follows the documented customer procedure.
Deliverables Static HTML report, local finding tree, optional evidence archive, reviewer materials. Delivered to the customer as self-contained offline files. Owned by the customer. POVA does not retain a copy after delivery unless agreed otherwise.
Audit metadata Hashes, execution timestamps, software version, scope manifest, coverage notes. Embedded in deliverables where applicable. Lives with the deliverables retained by the customer.
Reproducible analysis

Deterministic findings with traceable logic

POVA uses deterministic machine learning, statistical methods, and rule-based logic. The same input and configuration are designed to produce the same result. Each finding maps to source data, rules, thresholds, or scoring context.

+  Same input, same result
+  Source rows → rationale → review action
+  Explainable algorithms, no black-box scoring
+  Audit trail: data fingerprints, timestamps, scope coverage
Analytical safeguards

Decision support, not final judgment

Limitations disclosed

Missing fields, incomplete schemas, excluded scope, and partial coverage are reported rather than hidden.

Thresholds visible

Where thresholds, rules, or detector logic are relevant to a finding, they are included in the report or technical trace.

Human review expected

POVA surfaces patterns and evidence. Business judgment, escalation decisions, and remediation remain with qualified reviewers.

Operator model

Who runs the scan is agreed before processing begins

POVA specialist

A named POVA operator conducts the scan under documented procedures. Run initiator, operator role, execution time, scope manifest, and configuration are recorded in the deliverable: giving separation of duties between the audited organization and the scan operator.

Trained and approved third party

An external operator runs the scan under documented procedures. Suitable when the customer requires independent operation without direct POVA involvement.

Customer-designated operator

A customer-chosen employee or contractor operates the system after receiving training and authorization. The customer retains full control over who has access.

Automated / scheduled

POVA can run on a schedule against new snapshot files placed in a designated local input location. It does not require direct access to live production systems. Suitable for recurring scans with stable data sources and agreed configuration.

Runtime environment

Hardened Linux, container isolation, post-delivery wipe

Container isolation

Each analysis runs in its own container with no shared state and no persistent volumes beyond the scan. The analysis engine and the operator interface are separated.

Post-delivery cleanup

On POVA-managed hardware, source data and the runtime environment are wiped after deliverables are provided. On customer-managed hardware, the cleanup procedure is documented and the customer is responsible for execution.

What leaves the environment

Self-contained offline deliverables with no network behavior

Static HTML report

Summary report viewable in any browser. No scripts that reach external servers. No embedded tracking. Opens and works entirely offline.

Explorable finding tree

A local HTML structure with deeper findings, evidence links, and drill-down navigation. May include local scripts for offline filtering. Does not load remote resources or make network requests.

Evidence archive (optional)

Analysis artifacts, manifests, and reviewer materials in a compressed archive. Inclusion of raw source data or source excerpts is customer-controlled and explicitly defined in scope.

Deployment options

POVA Scan and POVA BOX

POVA Scan

On-premise software

+  Offline analysis from exported data
+  Multiple operator modes
+  Hardened Linux / Docker runtime
+  Static deliverables, no integrations
+  Audit metadata embedded in deliverables
+  Source data removed from POVA-controlled environments after delivery
POVA BOX

Dedicated hardware appliance

+  Everything in POVA Scan, plus:
+  Tamper-evident, tamper-resistant enclosure with detection sensors
+  Network interfaces disabled by default; optional local WPA3 transfer when chosen
+  Built-in secure terminal for report viewing
+  Full disk encryption (AES-256) at rest · signed firmware updates via USB
+  Full environment wipe after each scan cycle
Documentation

Available on request

Security overview document

Detailed architecture and data-handling description beyond this summary page.

Sample data manifest

Example of the audit metadata and scope coverage report included in every deliverable.

Deletion procedure

Step-by-step documentation of how source data is handled and removed after delivery.

Update model

How software and firmware updates are delivered in offline environments.

Security questionnaire

Pre-filled responses to standard vendor security questionnaires (SIG, CAIQ, or custom).

Operator qualification requirements

Training and authorization criteria for third-party and customer-designated operators, including programs administered through POVA Academy.

Engagement control matrix

Shows which controls are baseline and which are engagement-defined, including operator model, signing, encryption, deliverable composition, white-label configuration, and partner or customer operation.

Getting started

Start with a hands-on expert assessment

An expert works through your data with you and maps its potential: what POVA can find in it, which lenses fit, and what a full review would return.

Full population, not a sample Findings tied to source On-prem or air-gapped ISO 27001 · 22301 · 42001 certified
Evidence-grade data review

Start a conversation

Book a Scoping Call

No live system access required.

POVAAI
About Press Security POVA Academy Privacy Terms
© 2026 POVA AI Ltd · Company No. 517311825 · Registered in Israel