Encryption at rest and in transit
All data is encrypted at rest with AES-256-GCM using envelope encryption β each tenant has isolated keys. All traffic uses TLS 1.3. Cryptographic keys are never stored in plaintext.
Security
Security Program
Last updated: February 2026
How we protect your data β from cryptographic design to infrastructure operations.
Post-quantum key management
Encryption keys are protected using ML-KEM-768 (FIPS 203), the NIST-standardised post-quantum key encapsulation mechanism. Classical and quantum-safe encryption are applied together.
EU-only infrastructure
All servers run on Scaleway in France and the Netherlands. Data never leaves the EU. No US cloud services, no third-party data processors outside Europe.
Access control & audit logs
Role-based access control with MFA enforced for all admin operations. Every action is recorded in an immutable audit log with 7-year retention. Alerts on suspicious activity.
Report a security issue
If you discover a security vulnerability, please contact us at it@kovimatic.ie. We review all reports within 24 hours and will keep you updated on resolution progress.
it@kovimatic.ie