Nova · Security

Nova runs on Vercel's global edge for the front-end and Supabase (Postgres) for application data. Customer data at rest is stored in our primary Supabase region (US-East). Enterprise customers may request EU residency via a dedicated Supabase project.

All traffic is served over TLS 1.2+. Internal service-to-service calls use mTLS where available.

User accounts authenticate via Supabase Auth (email/password, magic link, or SSO).

Enterprise tenants can enforce SSO (OIDC or SAML) and MFA. Domain allowlists and IP allowlists are configurable per tenant via the admin console.

Admin operators are scoped by company (`company_name`) and role (`ops`, `finance`, `security`, `support`, `admin`). Database row-level security (RLS) policies enforce the company boundary at the Postgres layer.

Data in transit: TLS 1.2+ for all HTTP traffic and Postgres connections.

Data at rest: AES-256 (Supabase managed). API key plaintexts are never stored — only HMAC-SHA256 hashes.

Webhook payloads are signed with HMAC-SHA256 (`X-Nova-Signature`).

Every privileged admin action is recorded in `nova_admin_audit_events` (immutable, exportable as CSV/JSON via the admin console).

API requests are logged with user, endpoint, status, latency and cost in `nova_api_events`.

Webhook delivery attempts are logged in `nova_webhook_deliveries`.

Cost anomalies trigger an entry in `nova_cost_anomalies` with an acknowledge workflow.

Vercel — application hosting (USA, global edge).

Supabase — Postgres database, auth, storage (USA primary).

DeepSeek — LLM inference (current sole model provider).

Cloudflare — DDoS protection and DNS.

Sub-processor list is reviewed quarterly. Material changes will be communicated to enterprise customers with 30 days notice.

Dependencies are scanned via `npm audit` on every build.

Security reports may be sent to security@vxera.ai. We aim to acknowledge within 2 business days and patch high-severity issues within 7 days.

Scope: vxera.ai web properties, Nova APIs, mobile clients. Out of scope: third-party services, social engineering of staff, denial-of-service.

SOC 2 Type 1: target Q3 2026.

SOC 2 Type 2: target Q1 2027.

GDPR: DPA available on request (see /nova/docs/dpa).

HIPAA: not currently in scope. Do not upload PHI.

Detection sources: monitoring dashboard (p99 latency / error-rate alerts), cost anomaly cron, webhook delivery failure threshold.

Notification: enterprise customers will be notified within 72 hours of confirmed material incidents involving their data.

Post-incident reviews are written for any P0/P1 event and shared with affected customers within 14 days.