Free AssessmentHow AI-mature is your organization? Take the test and find out.
Take the test
Security

Security at
Qovery.

3 areas - ~5 min read|SOC 2 Type II - AWS
Privacy PolicyTerms of ServiceBook a security review

Qovery restores trust in internet businesses by enabling companies to prove and improve their security and compliance posture. We encrypt data at rest and in transit, perform regular penetration tests, and deploy exclusively on AWS managed services.

- 01

Data Security

Qovery encrypts all data at rest and in transit for every customer, regardless of plan tier. We use AWS Key Management Service (KMS) backed by FIPS 140-2 compliant hardware security modules (HSMs) for encryption key management.

Customer workloads, secrets, and application data remain in the customer's own cloud account at all times. The Qovery control plane processes only deployment metadata - configuration state, resource metrics, and deploy events. We never have access to your application data, database contents, or environment secrets.

All communication between the Qovery control plane and customer clusters uses mutually authenticated TLS. API access requires authentication tokens with configurable expiration and RBAC-scoped permissions.

- 02

Application Security

We perform regular third-party penetration tests conducted by independent security experts. Penetration testers evaluate our source code, running application, and deployed infrastructure to identify vulnerabilities before they reach production.

Our development workflow integrates security at every step:

  • ->CodeQL static analysis on every pull request (GitHub Advanced Security)
  • ->Secrets Scanner to prevent accidental credential exposure in source code
  • ->Dependabot automated dependency updates for known CVE patches
  • ->Mandatory code review with minimum 2 approvers for production changes
  • ->Automated test suites including security-focused integration tests
  • ->Container image scanning before deployment to production
- 03

Infrastructure Security

The Qovery control plane is hosted exclusively on Amazon Web Services, leveraging AWS security products and managed services to minimize our attack surface.

Key infrastructure security measures include:

  • ->AWS KMS for encryption key management with automatic key rotation
  • ->AWS GuardDuty for continuous threat detection and monitoring
  • ->AWS Inspector for automated vulnerability assessment
  • ->Container-based deployments on AWS managed services (ECS, EKS) - we typically do not manage EC2 instances in production
  • ->Network segmentation with VPC isolation between control plane components
  • ->Automated infrastructure provisioning via Terraform with drift detection
  • ->Centralized logging with tamper-evident audit trails
  • ->Incident response plan with defined SLAs and escalation procedures