🛡️

Security you can trust

Nova needs access to your most sensitive data to be useful. Here's exactly how we protect it.

✓Security by default

🔒

Encrypted at rest & in transit

All integration tokens are encrypted with AES-256-GCM. Data in transit uses TLS 1.3. Your credentials never touch disk in plaintext.

🛡️

OAuth2 everywhere

We use industry-standard OAuth2 for all third-party integrations. Nova never sees or stores your passwords.

🚫

No data selling — ever

We do not sell, share, or monetize your data. Our business model is subscription-based, not advertising.

🧠

No training on your data

Your conversations, files, and integration data are never used to train AI models. Your data is yours.

🔐

Strict security headers

HSTS with preload, X-Frame-Options DENY, X-Content-Type-Options nosniff, and restrictive Permissions-Policy on every response.

🗄️

Parameterized queries only

All database access goes through Prisma ORM with parameterized queries. SQL injection is structurally impossible.

🎯Threat model

We proactively model threats against Nova's architecture and implement mitigations before they can be exploited.

ThreatMitigation

Credential theft

AES-256-GCM encryption, AWS Secrets Manager for production keys, no plaintext storage

Session hijacking

JWT tokens with short expiry, HTTPS-only cookies, CSRF protection

API abuse

Per-user rate limiting with configurable presets (auth, chat, API, agent provisioning)

Injection attacks

Prisma parameterized queries, input validation, Content Security Policy

Unauthorized access

Every API route verifies session + user ownership. No ambient authority.

Data leakage

Strict CORS, security headers, no data in error responses, server-side only DB access

Supply chain attacks

Minimal dependencies, lockfile integrity, automated vulnerability scanning

Desktop app exploitation

Sandboxed IPC, action-specific channels (no catch-all), user confirmation for destructive ops

☁️Infrastructure

Nova runs on AWS with production-grade security at every layer.

📦

AWS ECS Fargate

Serverless containers — no SSH access, no persistent VMs

🗄️

AWS RDS PostgreSQL

Managed database with encryption at rest and automated backups

🔑

AWS Secrets Manager

All production secrets managed centrally — never in code or env vars

🌐

AWS ALB + WAF

Application load balancer with web application firewall

📊

CloudWatch

Centralized logging and monitoring with alerts

🌍

Multi-AZ

Redundant deployment across availability zones

📋Compliance & data rights

🇪🇺

GDPR compliant

Full data export, right to deletion, data minimization, and lawful processing basis.

🍪

Cookie transparency

Minimal cookies (session + locale only), no third-party tracking, clear cookie policy.

📤

Data portability

Export all your data anytime from Settings. Standard formats, no lock-in.

🗑️

Right to deletion

Delete your account and all associated data with one click. No retention period.

💻Desktop app security

The Nova desktop app has deep system access. Here's how we keep it safe.

Scoped IPC channels

Each capability (file read, screenshot, volume) has its own dedicated channel. No generic "execute anything" interface.

User confirmation

Destructive actions (deleting files, emptying trash, sending emails) require explicit user confirmation before execution.

No remote code execution

The desktop app does not download or execute arbitrary code. All automation logic is bundled and signed at build time.

macOS Accessibility opt-in

UI automation features require the user to explicitly grant Accessibility permissions in System Preferences.

Code-signed distribution

Desktop builds are code-signed and notarized through Apple's developer program.

❓Frequently asked questions

Where is my data stored?

Your data is stored in PostgreSQL on AWS RDS with encryption at rest. Integration tokens are additionally encrypted with AES-256-GCM. We use AWS eu-west-1 (Ireland) as our primary region.

Can Nova read my emails and files?

Only when you explicitly connect an integration and ask Nova to perform an action. Nova uses read-only access by default and requests write permissions only when needed (e.g., creating a calendar event).

Is my conversation data used for training?

No. Your conversations are processed by the AI model to generate responses but are never stored or used for model training. We use commercial API agreements with OpenAI and Anthropic that explicitly exclude customer data from training.

What happens when I delete my account?

All your data is permanently deleted: conversations, user profile, integration tokens, usage records, and any agent instances. This is irreversible and immediate.

How does the desktop app access my computer?

The desktop app uses Electron with specific IPC channels for each capability (file access, screenshots, etc.). There is no catch-all "run anything" channel. Destructive actions require explicit user confirmation.

Do you have SOC 2 compliance?

We are working toward SOC 2 Type II certification. Our infrastructure is built on AWS, which is SOC 2 certified. We follow security best practices including encryption, access controls, and audit logging.

Found a vulnerability?

We take security reports seriously. If you've found a security issue, please contact us through our responsible disclosure process.

Report a vulnerability