Security

Security at Knovari

Knovari detects and sanitises confidential content in PowerPoint deliverables for consulting firms. Our customers' entire business rests on client confidentiality, so the product was designed around one question from day one: where does the client's data go, and who can touch it?

The short answer: in our enterprise deployment model, it never leaves your infrastructure.

Knovari is delivered as a PowerPoint plugin and a web app.

At a glance

  • SOC 2 in progress via Vanta, with our live Trust Centre at trust.knovari.ai
  • Independently penetration tested
  • Enterprise deployment runs inside your own cloud tenancy
  • TLS 1.2+ in transit, AES-256 at rest
  • GDPR: you are Controller, Knovari is Processor (Article 28)

Deployment: your tenancy, not ours

For enterprise customers, Knovari deploys into your own Azure (or AWS) tenancy: a private cloud inside your VPC. All sanitisation processing runs inside your infrastructure. For model inference, Knovari provisions your own isolated instances of the frontier-model endpoints it uses for text and vision analysis (Azure OpenAI and Anthropic), dedicated to your deployment and configured for zero data retention: nothing sent for analysis is stored by the model provider. You own the keys and are billed directly for inference. In this deployment model, model calls only ever hit your own isolated endpoints: no customer document data passes through Knovari's own infrastructure.

Where a customer chooses managed hosting instead, we host on Microsoft Azure, default region EU West Europe, with paired regions more than 200 km apart for geo-redundancy. Alternative regions are provisionable. Subprocessors for our managed service are listed publicly in our Trust Centre.

Data handling

  • You own your data, always. All customer content remains the customer's sole property. Knovari holds only the limited processing rights needed to deliver the service.
  • Never used for training. Customer content is not used to train Knovari's models, and is not shared with any third party without your written consent.
  • Purpose limitation. Processing is scoped to sanitisation of PowerPoint content. Only content required for analysis is transmitted, and intermediate artefacts are purged once the service is delivered.
  • Deletion is real deletion. Hard, irreversible deletion by default and on request, with cryptographic erasure of storage media. Every deletion is logged, and a deletion certificate is available on request.
  • Data residency. In a private-cloud deployment, data stays in the Azure or AWS region you choose. For managed hosting the default is EU West Europe. Standard Contractual Clauses (Module 2) and the UK IDTA apply for any incidental data under the DPA.
  • GDPR roles. For sanitisation work, you are Controller and Knovari is Processor under Article 28 GDPR. We are accustomed to signing customers' own Vendor DPAs.

Security controls

  • Encryption: TLS 1.2+ in transit, AES-256 at rest
  • Authentication: Microsoft Entra ID (Azure AD) via OAuth 2.0. MFA is enforced by your own M365 tenant policy. Session tokens are validated per request with expiry. Role-based access control.
  • Audit logging: structured JSON audit logs covering authentication, admin actions, data access, deletions, API and pipeline events. Logs are shippable to your SIEM via an Azure Log Analytics workspace, with syslog forwarding available.
  • Vulnerability management: a vulnerability management programme is in place, monitored continuously through Vanta.
  • Resilience: multi-zone Azure deployment, automated database failover, continuous point-in-time database recovery, and daily storage and configuration backups. Disaster recovery is documented in our Trust Centre.

Independent assurance

  • SOC 2 in progress via Vanta. Our controls, policies and their evidence are continuously monitored and viewable now at our Trust Centre: trust.knovari.ai.
  • Penetration testing. Independently penetration tested. The full report is available under NDA.
  • Vendor risk assessments. Knovari has passed the formal third-party risk assessment of an MBB subsidiary.

Business continuity, including ours

A question serious buyers ask early-stage vendors, so here is the answer up front: your data survives independently of Knovari's corporate status. Content is exportable at any time in PPTX, PDF and JSON. On termination you have a minimum 30-day export window, extendable to 90. In a private-cloud deployment, the infrastructure and data sit in your own tenancy and persist regardless of Knovari, subject only to your own hosting fees.

Want more detail?

Most of it is already in our Trust Centre at trust.knovari.ai: controls, policies, live evidence and our subprocessor list, with access to gated documents granted under NDA. Under NDA we can also share the full penetration test report and a detailed deployment architecture and data-flow description.

Contact: wes@knovari.ai