Security & Trust
We hold ourselves to the standard we sell.
A company selling "prove your security" must visibly hold itself to the same standard. Here is what we run, what we can verify, and where we're still building.
NovaCove's Security Controls
We run NovaCove on NovaCove. The same controls we provide to customers — SSO-gated, least-privilege, short-lived access with a complete audit trail — are the ones securing our own infrastructure.
Identity & Access
SSO via our own IdP, MFA enforced on all accounts, role-based access with automated joiner/leaver.
Credential Management
Short-lived tokens, no standing credentials, automatic rotation enforced by the platform.
Audit Trail
Every access authenticated, authorized, and logged. Tamper-evident audit trail exportable on demand.
Infrastructure
Cloud-hosted with inherited SOC 2 controls from our cloud provider. No on-premises data centers.
Encryption
TLS 1.2+ in transit, encryption at rest for all data stores. No plaintext secrets.
Vulnerability Management
Dependency scanning, patch SLAs by severity, and ongoing monitoring of our attack surface.
Certifications & Audit Status
NovaCove does not currently hold a SOC 2 report, ISO 27001 certification, or other third-party audit attestation. We practice what we preach: our live, queryable posture is how we prove our security today. We intend to pursue SOC 2 Type II as the company matures, and our controls and evidence are mapped to SOC 2 requirements to prepare for that.
Sub-Processors & Data Handling
NovaCove processes customer data solely to deliver the service. We do not sell, share, or use customer data for advertising.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Cloud Infrastructure Provider | Application hosting & data storage | United States |
This list will be updated as sub-processors are added. Contact [email protected] for the current sub-processor list.
Responsible Disclosure
We welcome responsible security research. If you believe you've found a vulnerability in NovaCove, please report it to [email protected]. We ask that you give us reasonable time to respond before public disclosure.
Contact
Security inquiries: [email protected]
General inquiries: Contact page