Security & Trust

Kevala runs on your infrastructure, on your terms.

Last reviewed: May 2026.

Sovereignty by design

A GRC tool you can't trust isn't worth the controls it tracks. Kevala's posture starts with three commitments.

Runs on your infrastructure

Self-hosted on a VM, server, or air-gapped network. No vendor-side database, no shared tenancy, no cloud dependency to operate.

No phone-home, no telemetry

The application does not contact Kevala servers in normal operation. No usage analytics, no tracking pixels, no anonymous metrics.

External integrations are opt-in

LDAP, ticketing, vulnerability scanners, and asset connectors are off by default. Each requires explicit credentials and enablement.

How we protect data

Concrete controls built into the application, not marketing claims.

Authentication & MFA

Strong password policy (length and complexity enforced), forced password change on first login, optional TOTP multi-factor with one-time backup codes, single-use password-reset tokens with short expiry.

Role-based access control

Named roles (Admin, GRC Manager, Risk Owner, Control Owner, Auditor, Executive, User) with dot-notation permissions. Routes enforce roles and permissions via decorators, not on the client.

Audit log

Every create, update, delete, login, and approval recorded with user, timestamp, entity, and IP. Append-only at the application layer; retention is configurable. Exportable for SIEM or auditor handoff.

Transport security

HTTPS by default. Session cookies set HttpOnly, Secure, SameSite=Lax. CSRF tokens enforced on every state-changing request. Sessions rotated on authentication.

Signed updates & licenses

Application updates and license tokens use Ed25519 signatures. The verification public key is embedded in the application; signing keys are held by us. Tampered updates won't apply.

Hardened against the basics

Server-side validation, ORM-mediated database access, template auto-escaping, file-upload whitelisting and size limits, rate limiting on authentication and uploads.

What we intentionally don't do

The shortest list on the page, and the most important.

  • No analytics or tracking pixels on the application. No Google Analytics, Mixpanel, or session-replay tooling.
  • No outbound calls to vendor infrastructure during normal operation.
  • No copying of customer data to our systems. Your evidence, controls, risks, and reports never leave your network.
  • No mandatory third-party services. Email, LDAP, and integrations are configurable; nothing is required to use the core platform.

Found something? Tell us.

If you believe you've found a security issue in Kevala, please email security@kevalagrc.com with reproduction steps and any relevant context. We'll acknowledge within two business days and keep you posted on remediation.

Please don't publicly disclose the issue until we've had a reasonable window to investigate and ship a fix. We won't pursue legal action against good-faith researchers who follow responsible-disclosure principles.