Trust & Compliance

Built for the businesses regulators watch

Security, privacy, and compliance are structural in Novact OS — not bolted on after the fact. Here is exactly where we stand.

Compliance Status

Where we stand today

We believe in honesty over marketing. Here is the real status of each certification.

SOC 2 Type II

In Progress

SOC 2 Type II audit is underway. Available on Team tier and above upon completion. We will publish the report date here when finalized.

HIPAA

Enterprise Tier

HIPAA-compliant configuration available on the Enterprise tier. Includes BAA execution, PHI handling controls, and dedicated infrastructure.

GDPR

Compliant

EU data handling follows GDPR requirements. Data subject rights, lawful basis documentation, and DPA available on request.

Security Architecture

Defense in depth

Multiple layers of protection at every level of the stack.

Encryption

AES-256 at rest, TLS 1.3 in transit

Access Controls

Cloudflare Access zero-trust perimeter

Audit Logging

Every action logged with evidence retention for 7 years

Multi-Tenant Isolation

Organization-level Row Level Security with PostgreSQL

Data Residency

US-East-1 default. Configurable regions on Business tier and above.

Data Practices

What happens with your data

Clear answers, no legal fog.

What we collect

  • Conversations with AI agents
  • Decisions and documents you create
  • Usage metrics (runs, tokens, storage)

What we use it for

  • Improving your tenant's agent performance and memory
  • Platform reliability and abuse prevention
  • Usage-based billing calculation

What we do NOT use it for

  • Cross-tenant model training without explicit opt-in
  • Selling or sharing data with third parties
  • Advertising or behavioral profiling

Anonymization

  • Aggregate analytics are stripped of PII before internal analysis
  • Model improvement data (when opted in) is anonymized and de-identified
  • Audit logs retain actor identity for compliance; analytics do not
Privacy Controls

You control your data

Data Retention

Configurable retention periods per data category. Default: conversations 2 years, documents indefinite, logs per plan tier.

Export Controls

Full data export available at any time. Structured JSON and CSV formats. Includes all conversations, documents, decisions, and audit logs.

Right to Erasure

GDPR Article 17 supported. Submit a request and all personal data is purged within 30 days, with confirmation.

Cross-Tenant Sharing

Opt-in only. No data crosses tenant boundaries unless you explicitly configure a shared connector or integration.

Audit & Accountability

Every action has provenance

Built-in audit log

Every action in Novact OS is recorded in an immutable audit trail. Agent executions, human approvals, data access, configuration changes — all traceable to an actor with IP address and session context.

The audit log is available directly in your workspace. No external tooling required.

Tracked per event
Actor (human or agent)
Action type & target
IP address & session ID
Timestamp (UTC)
Before/after state
Organization & project scope

Questions about security?

We are happy to walk through our security architecture, share compliance documentation, or answer specific questions about how your data is handled.

Contact security@novact.ai