Security
Security at Koryvant.
Koryvant is built to keep your account and your work safe by architecture, not by afterthought. This page describes how it works today.
How we handle authentication
Koryvant authenticates with short-lived bearer tokens (JWTs), not authentication cookies. Because auth state is never held in a cookie, a prototype you preview or deploy cannot read your session — the classic sibling-subdomain cookie-read does not apply.
How we protect secrets
Runtime credentials and configuration live in an AES-256-encrypted configuration table in the database, read through a single config layer. Secrets are not hardcoded and are not exposed to the browser.
How generated prototypes are isolated
Generated output is untrusted, so it is treated that way. Prototypes render inside a sandboxed iframe with scripts allowed but allow-same-origin withheld, served from a separate origin under a strict Content-Security-Policy. Deployed prototypes live on a dedicated deploy domain, isolated at the app layer from the account and marketing origin.
Where your data lives
Account and project data is stored in PostgreSQL. Generated artifacts are stored in object storage (Amazon S3). Traffic is served over HTTPS with HSTS.
Our compliance posture
Koryvant is not currently certified against SOC 2 or ISO 27001. We build to the intent of those frameworks — encryption of secrets, least-privilege access, and isolation of untrusted content — and we handle personal data in line with India’s DPDP Act and the GDPR. See our privacy policy for how we process personal data.
Reporting a vulnerability
If you believe you have found a security issue, email hello@koryvant.com. Our machine-readable disclosure details are published at /.well-known/security.txt. We appreciate coordinated disclosure and will work with you on a fix.
Koryvant is built and operated by Ekarche Private Limited (CIN U58200UW2026PTC253262), Mathura, Uttar Pradesh, India.