Nova
Company / Legal

Security

Last updated · October 2025
Terms of ServicePrivacy PolicyData Processing AgreementSecurity
Security is the foundation of every product decision at Nova. This page summarises the controls, certifications and operational practices that underpin the platform. Independent attestation reports are available to qualified prospects under NDA via security@nova.dev.

1. Certifications & Attestations

  • PCI-DSS Level 1 — assessed annually by a QSA across the issuing data environment.
  • SOC 2 Type II — Security, Availability and Confidentiality trust criteria, twelve-month observation window.
  • ISO/IEC 27001:2022 — Information Security Management System, scope: platform engineering and operations.
  • ISO/IEC 27701:2019 — Privacy Information Management extension, scope: cardholder & account data processing.

2. Encryption

  • At rest: AES-256-GCM. Per-tenant data envelope keys wrapped by a master key resident in FIPS 140-2 Level 3 hardware security modules.
  • In transit: TLS 1.3 with modern cipher suites (TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256). TLS 1.0/1.1 and SSLv3 are disabled at the edge.
  • Application layer: request signing via HMAC-SHA256 with rotating shared secrets; mTLS available for high-assurance integrations.

3. Cardholder Data Handling — Tokenization First

Primary Account Numbers, CVV and track data are never persisted in Nova's general-purpose systems. Sensitive payment data is captured directly into the PCI-DSS Level 1 enclave operated by the Issuing Partner and returned to Customer applications exclusively as opaque network tokens or surrogate references. This dramatically reduces the Customer's own PCI scope.

4. Infrastructure

  • Multi-region active-active deployment across three independent regions.
  • Quorum-based replication; no single region can take the platform offline.
  • Hardware-isolated production network; no shared tenancy with non-production workloads.
  • Daily restore drills against immutable, encrypted backups; documented RPO ≤ 5 min, RTO ≤ 30 min.

5. Access Control

  • SSO enforced for all employees via SAML 2.0 with hardware-bound WebAuthn second factor.
  • Just-in-time, time-boxed production access with peer review and full session recording.
  • Role-based access control internally; per-resource scoped API keys for Customers, rotatable on demand.
  • Quarterly access recertification; immediate de-provisioning on termination.

6. Application Security

  • SAST, DAST and software composition analysis run on every commit; blocking on high-severity findings.
  • Annual third-party penetration test (network, application and red-team scenarios); summary letter available under NDA.
  • Public responsible disclosure program with bounty: security@nova.dev.

7. Operational Security

  • 24×7 on-call rotation across security and reliability functions.
  • Documented incident response runbook with defined severities, comms templates and post-mortem requirements.
  • Real-time SIEM coverage; anomaly detection on authentication, key usage and data egress.

8. Business Continuity

Annual tabletop and live-fire exercises. Customer-impacting incidents are tracked publicly on the status page, with root-cause analyses published within five (5) business days of resolution.

9. Contact

Security questions, vulnerability disclosures and audit requests: security@nova.dev. PGP key fingerprint available on request.