Security
Security is the foundation, not a feature.
Every layer of Vonova — authentication, data, course content, and AI — is engineered with defense-in-depth. Here is exactly how.
Pillars
How we protect your account & your content
Each pillar is owned by a named engineer and tested in CI on every deploy.
Identity
Hashed passwords (Argon2id), TOTP-based 2FA, session rotation on privilege change, and detection of credential-stuffing patterns.
Data
All databases encrypted at rest with AES-256. Backups encrypted and rotated daily; production secrets sealed in a managed KMS.
Infrastructure
Microservice isolation, mutual-TLS between services, principle-of-least-privilege IAM, and segregated production/staging networks.
Short-lived secrets
Every download / video URL is presigned with a tight TTL. Course content cannot be linked from outside the protected viewer.
Watermarked viewer
Books, slides, and videos open in our in-app viewer with a tiled diagonal watermark carrying the viewer's identity & timestamp.
Abuse detection
Per-account rate limits on auth, presign, and AI endpoints; anomaly alerts on bulk material exports.
Responsible disclosure
Found a vulnerability?
We welcome reports from security researchers. We commit to acknowledging within 48 hours, status updates every 72 hours, and a public credit when the issue is resolved.
1. Email us
Send details to security@vonova.app with reproduction steps and the affected URL.
2. We triage
Severity assessment within 48 h, timeline shared with you, and a CVE filed where appropriate.
3. Coordinated fix
We patch, deploy, validate, and publicly credit you once it is safe to disclose.