Security Update

SOC2 progress.

Overview

Security is the discipline of building real protection rather than collecting badges. Nova's SOC 2 program is in progress; the controls matter more than the certificate. Five primitives carry most of the day-to-day posture: encryption everywhere, least-privilege access, secrets in a manager (never in a repo), audit logging on every privileged action, sub-processor diligence.

• SOC 2 in progress. Controls operating, evidence accumulating toward the first Type 2 window. Real protection precedes the credential.
• Encryption everywhere. Data at rest with managed keys; data in transit with TLS 1.2 or higher. Both layers, not one.
• Least-privilege access. Engineers get only the access their work requires. Blast radius of any individual credential stays small.
• Secrets management plus audit logging. Every secret lives in a secrets manager, never in source; every privileged action lands in an audit log. Common breach vectors closed; investigation has the breadcrumbs it needs.

The approach

Build the controls first, document the evidence as a byproduct, review annually, validate with external pen testing, run sub-processor diligence with the same rigour as primary controls. The discipline is making compliance fall out of operations rather than running it as a parallel project.

• Controls precede the audit. Real technical controls are in place before the auditor arrives. Audit confirms reality rather than discovering it.
• Document the evidence. Drata, Vanta, or equivalent captures evidence year-round. Auditor gets evidence rather than promises.
• Annual review plus external pen testing. Yearly review of every control; external pen testing finds what internal review missed. Validation is real, not assumed.
• Sub-processor diligence. Each sub-processor reviewed with the same rigour. Protection holds end-to-end across the data path.

Why this compounds

Each annual review tightens the posture; each pen test surfaces real findings to fix. Mature controls support multiple frameworks (ISO 27001, HIPAA, PCI) without rebuilding the program. By year three security review is the natural shape of every engineering decision.

• Reduced breach risk. Real controls reduce real risk. Protection that holds under contact.
• Faster customer reviews. Documented controls accelerate enterprise security reviews. Sales conversations get unblocked.
• Compliance optionality. Mature controls support multiple frameworks without rebuild. Option value compounds.
• Year-one investment, year-two habit. First audit is investment-heavy; subsequent renewals run on operational evidence.