Security · Trust
Nova prepares. You approve.
Eight things we hold ourselves to so Nova is something you can hand the keys to.
Approval-first by design
Every outbound action lands in your inbox as a draft. Nothing sends, books, or pays without you tapping approve. This is a database-level invariant — not a setting we can flip off.
Row-level isolation
Every table in the database enforces row-level security scoped to your user id. Your data is unreachable from any other account, even by mistake.
Secrets stay server-side
API keys, OAuth tokens, and webhook secrets live only in encrypted server storage. The browser bundle never sees them.
Your data, exportable
One tap inside your Trust centre exports everything Nova knows about you as a JSON file. Another tap erases your memory and starts you fresh.
No silent training
Nova learns from how you approve and edit drafts. We don't ship your data to third-party training pipelines.
Verified webhooks only
Payment and integration callbacks reject any payload without a valid HMAC signature. Replays and forged events do nothing.
Audited status changes
Card lifecycle (drafted → approved → sent) is append-only logged. A client cannot mark something sent without a prior approval event.
Guardrails you set
Quiet hours, spend limits, and allowed action types are yours to configure on the Profile page. Nova won't cross them.
What we hold ourselves to
- Permission-first architecture. Nova drafts; you approve. Nothing is sent, booked or changed without your tap.
- Per-source revocation. Every connected source can be disconnected in one tap — Nova forgets it immediately.
- Visible activity trail. Every card lifecycle event is logged and viewable in your Trust centre.
- Your data is never sold. Not to advertisers, not to data brokers, not to model providers for training.
- GDPR · POPIA · CCPA aligned. We follow the access, correction and deletion rights defined by these frameworks.
Certifications roadmap
Nova is early. Independent third-party security certification (starting with SOC 2 Type I) is planned as the company grows. We will only claim a certification once it is formally issued — never before.
Where to take action
- Privacy notice — what we collect and why.
- Terms — the legal frame.
- Status — live system health.
- Signed in? Open your Trust centre to export or wipe your data.