KollGuard
KollGuard AI
Compliance Intelligence
Security at KollGuard

Security is how we’re built

A compliance platform has to hold itself to a high bar. Here’s how KollGuard protects your credentials and data.

Credentials encrypted in Supabase Vault

GitHub and database tokens you provide are encrypted at rest in Supabase Vault. They are never stored in the browser and are only decrypted server-side when a scan runs.

Least-privilege tokens

KollGuard is designed to work with the minimum scope required. Provide tokens limited to what scanning needs — nothing more — so access stays tightly bounded.

Read-only scanning

Scans inspect configuration and metadata in a read-only manner. KollGuard does not modify your repositories or databases.

Tenant isolation with RLS

Each organization is isolated. Postgres Row Level Security enforces that one tenant can never read another tenant’s data.

No source code stored

KollGuard analyzes for security gaps without retaining your source code. We keep findings and metadata — not your codebase.

Built around the frameworks

Our own practices are oriented around the SOC 2 and HIPAA controls we help you meet — security is the product, not an afterthought.

Our current posture

Each statement below reflects how KollGuard is built and operated today.

  • Customer credentials are encrypted at rest in Supabase Vault and never stored in the browser.
  • Scanning is strictly read-only — we keep findings and metadata, never your source code or database contents.
  • Every organization’s data is isolated by Postgres Row-Level Security on all data tables.
  • Internal privileged database functions are restricted to the backend service role only.
  • No database extensions run in the exposed public schema.
  • Sensitive actions are recorded in a tenant-scoped, hash-chained audit log.
  • Payments are handled by Stripe — we never see or store card numbers.
  • We scan our own repository and database on every release and remediate findings before shipping.
We scan ourselves

We run KollGuard on KollGuard

We point KollGuard at our own GitHub repository and Supabase database on every release, and we fix what it finds before we ship. A compliance scanner that can’t pass its own scan has no business checking yours. Recent examples of issues our scan caught and we remediated:

  • Restricted internal privileged database functions to backend-only — not callable by signed-in users or the public API.
  • Moved a database extension out of the public schema to shrink the attack surface.
  • Added tenant-scoped access control to our own audit log.
  • Confirmed row-level security isolates every tenant table, and credentials stay encrypted in Vault.

If we wouldn’t ship it, we won’t let you either.

Have a security question?

We’re happy to walk through our controls and answer questionnaires.

Contact us