Is Nova AI Ops SOC 2 certified?

Nova AI Ops is currently undergoing a SOC 2 Type II audit. We are happy to share progress, controls already in place, and the expected timeline on request — contact security@novaaiops.com.

How does Nova AI Ops encrypt customer data?

All data in transit is encrypted with TLS 1.3. Sensitive data at rest is encrypted with AES-256. Encryption keys are managed by our cloud provider's KMS using envelope encryption.

Does Nova AI Ops support SSO and SAML?

Yes. Nova AI Ops supports SAML 2.0 single sign-on with major identity providers (Okta, Azure AD, Google Workspace, JumpCloud) on Pro and Enterprise plans, plus role-based access control and SCIM provisioning.

Is Nova AI Ops GDPR compliant?

Yes. Nova AI Ops operates a GDPR-aligned data processing program with a Data Processing Agreement (DPA), Standard Contractual Clauses for international transfers, a documented sub-processor list, and a process for handling data subject access requests. Email privacy@novaaiops.com to request our DPA.

How do I report a security vulnerability?

Please email security@novaaiops.com with the details. We acknowledge reports within 24 hours and will keep you informed of remediation timelines. We do not pursue legal action against good-faith security research conducted under our disclosure policy.

Security & Trust | Nova AI Ops

Compliance & certifications

We’re explicit about what we have today versus what’s in flight. If your procurement team needs evidence on any of these, email security@novaaiops.com and we’ll respond within one business day.

In progress

SOC 2 Type II

Audit underway with a Big-4-affiliated firm. Controls live; observation window in progress. Letter of engagement and bridge letter available on request.

Live

GDPR (EU/UK)

DPA, Standard Contractual Clauses for transfers, documented sub-processors, and a DSAR process. Lawful basis tracked per processing activity.

Live

CCPA / CPRA

California consumer privacy rights honored: access, deletion, correction, opt-out of sale (we don’t sell), and limit-use of sensitive information.

Live

Data Processing Agreement

Pre-signed DPA available, including SCCs and a list of sub-processors. Email privacy@novaaiops.com to receive the signed PDF.

Request Security Questionnaire Request DPA System Status

Data protection

Customer data is protected end to end. We hold ourselves to controls modeled on the AICPA Trust Services Criteria and ISO 27001 Annex A, even as our SOC 2 audit completes.

Encryption in transit

All API and UI traffic uses TLS 1.3 with modern cipher suites. HSTS is enforced site-wide. Internal service-to-service traffic is mutually authenticated.

Encryption at rest

Sensitive data is encrypted with AES-256. Keys are managed by our cloud provider’s KMS using envelope encryption with regular rotation.

Tenant isolation

Customer workloads run in logically isolated tenants with row-level security on shared data stores. Cross-tenant access is structurally impossible at the application layer.

Backups & DR

Automated, encrypted backups with point-in-time restore. Disaster-recovery runbooks exercised on a regular cadence; RPO and RTO targets shared on request.

Identity & access

You decide who in your org can do what. Identity is the front door, so we put real engineering into it.

SSO / SAML 2.0

Single sign-on with Okta, Azure AD, Google Workspace, JumpCloud, and any SAML 2.0 IdP. Available on Pro and Enterprise plans.

SCIM provisioning

Automated user provisioning and deprovisioning. New hires get scoped access on day one; departures lose access automatically.

Role-based access control

Granular RBAC with least-privilege defaults. Custom roles and resource-scoped permissions for teams that need fine control.

Multi-factor authentication

MFA required for all administrators and available for all users. Supports TOTP authenticator apps and WebAuthn / FIDO2 hardware keys.

Audit logs & observability

Nova AI Ops is an observability platform — we apply the same rigor to our own systems as we ship to customers.

Immutable audit trail. Every privileged action (config change, role assignment, data export, AI agent decision) is logged with actor, timestamp, source IP, and intent.
AI decision logs. Every action taken by an autonomous agent is recorded with the prompt, the model, the inputs, and the resulting change — so you can audit why a system did what it did.
Customer-accessible logs. Enterprise customers can stream their tenant’s audit logs into their own SIEM (Splunk, Datadog, S3) for retention and analysis.
Internal monitoring. Production access is logged, alerted on, and reviewed.

Application & infrastructure security

Secure SDLC. Mandatory code review, automated dependency scanning, SAST in CI, and container image scanning before deploy.
Secret management. Production secrets live in a managed secret store. No secrets in code, config files, or logs. Rotated on a defined cadence.
Vulnerability management. Continuous scanning of infrastructure and dependencies. Critical findings have defined remediation SLAs.
Penetration testing. Independent third-party penetration tests are conducted annually. Executive summaries available under NDA.
Hardened cloud baseline. Workloads run on a hardened cloud baseline with private networking, principle of least privilege for IAM, and infrastructure-as-code review.

Sub-processors

We use a small number of trusted sub-processors to deliver the service. Our full, current list is maintained as part of the DPA — what follows is a summary.

Sub-processor	Purpose	Region
Amazon Web Services (AWS)	Primary cloud infrastructure, storage, compute	US, EU
Cloudflare	CDN, DDoS protection, WAF, DNS	Global
Anthropic	AI model inference for agent and copilot features	US
Stripe	Payment processing	US
Postmark / SendGrid	Transactional email delivery	US

We notify customers of material changes to our sub-processor list before they take effect, per our DPA.

Vulnerability disclosure

If you believe you have found a security vulnerability in Nova AI Ops, we want to hear from you. Email security@novaaiops.com with:

A description of the vulnerability and the affected endpoint, service, or component.
Steps to reproduce, including any proof-of-concept code or screenshots.
Your assessment of impact and any contact info you’d like us to use.

Our commitments to you.

We acknowledge reports within 24 hours.
We keep you informed of progress and remediation timelines.
We will not pursue legal action against good-faith security research conducted under this policy (no DoS, no social engineering of staff, no data exfiltration, only test accounts).
We credit researchers in our security acknowledgements (with your permission).

Incident response

Nova AI Ops maintains a documented security incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. Customer-impacting incidents are communicated through status.novaaiops.com and to designated security contacts via email. We commit to notifying affected customers without undue delay where required by law or contract.

Privacy

Our handling of personal data is governed by our Privacy Policy. Highlights:

We do not sell personal information.
We process customer data only on documented instructions, per our DPA.
Data subject access requests are handled within applicable statutory timelines.
Cross-border transfers rely on Standard Contractual Clauses and additional safeguards where required.

Contact security

For all security-related inquiries:

Security questions / questionnaires: security@novaaiops.com
Privacy / DPA / DSAR: privacy@novaaiops.com
Vulnerability reports: security@novaaiops.com
System status: status.novaaiops.com

Nova AI Ops · AI-native SRE & observability platform