Hosted in Canada
All customer data is hosted in Canadian data centers. The rare operational transfers to the United States are governed by contractual clauses that comply with applicable Canadian privacy laws.
Security
Your data. In Canada. End-to-end encrypted.
Kovee is built for landlords. The security posture follows.
Encryption
AES-256 at rest on all storage volumes. TLS 1.3 in transit for every API and browser connection. Passwords are hashed with bcrypt at cost factor 12.
Authentication
Two-factor authentication available on every account and mandatory for administrative accounts. Time-bound sessions with automatic token rotation. Unusual sign-in detection.
Access control and audit logs
Least-privilege access across the infrastructure. Production access is restricted to a minimal set of engineers, logged in real time, and reviewed quarterly.
Data ownership and portability
You retain full ownership of your data. Complete export to CSV or JSON is available any time from the interface, with no involvement on our side. Full deletion within 90 days after account closure.
Backups and recovery
Encrypted daily backups with 30-day retention, geo-replicated across two distinct Canadian regions. Recovery plan tested twice a year. Recovery point objective of 24 hours, recovery time objective of 4 hours.
Payments
No card information is ever stored on our servers. All payments are processed by Stripe, certified PCI DSS Level 1. The tenant portal uses the same guarantees.
Artificial intelligence
The Kovee agent accesses large language models (LLMs) through OpenRouter, an API gateway that routes requests to selected model providers. Only the data strictly necessary to generate a response is transmitted — never your entire portfolio. Under OpenRouter's and downstream model providers' contractual terms, your data is not retained or used to train models. No decision with legal effect is made in a fully automated way without the possibility of human review.
Incident response
Documented response plan with 24/7 rotation. Affected customers are notified within 72 hours of any incident involving their data, in line with applicable Canadian laws.
Responsible disclosure
Security researchers are encouraged to report vulnerabilities to security@kovee.io. We acknowledge within 48 hours and coordinate a fix before any public disclosure.
Sub-processors
Up-to-date list of vendors that process customer data on our behalf.
| Vendor | Purpose | Region |
|---|---|---|
| Stripe | Payments and subscriptions | Canada / United States |
| AWS | Application hosting | Canada (ca-central-1) |
| Vercel | Marketing site hosting | Global (edge) |
| Resend | Transactional email | United States |
| OpenRouter | LLM gateway (AI agent) | United States (no retention) |
| SingleKey | Tenant credit & background checks | Canada |
A question about security?
Our security team replies directly. For vulnerability disclosures, use the dedicated address below.
security@kovee.io