A security model you can verify
Four controls govern everything that happens inside NOVA: encryption in transit and at rest, granular permissions at the action and data level, a complete audit trail, and environment isolation. This page explains each control as it actually works: not as it looks in slide decks.
Four controls, no exceptions
Encryption on every path
Data is encrypted in transit (TLS 1.3) and at rest (AES-256) on NOVA Cloud. In private-cloud (VPC) deployments, the encryption keys are owned and managed by you.
Permissions at the action and data level
No open access: every flow and every AI agent operates within explicit permissions defining what it reads and what it executes. Anything beyond the boundary does not run: it escalates to human approval.
A complete audit trail
Every action is recorded: who decided, what was executed, and why. The trail is reviewable at any time: our own requirement before it was our customers'.
Environment isolation
Separate development and production environments, and workspaces isolated from one another. In on-premises deployments NOVA runs entirely inside your infrastructure: including environments fully air-gapped from the internet.
Each control and its implementation
One line per control: what we implement today, phrased so security reviewers can quote it directly.
| Control | Implementation |
|---|---|
| Encryption in transit | TLS 1.3 for every connection between the browser and the platform, and between connectors and linked systems. |
| Encryption at rest | AES-256 on NOVA Cloud: and in private deployments, with keys the customer owns and manages. |
| Permissions | Granular roles and permissions at the action and data level for every user and agent: anything beyond them escalates to human approval. |
| Audit trail | Complete record of every execution and decision: who, what, when, and why: reviewable at any time. |
| Environment isolation | Separate dev and production environments and isolated workspaces: plus VPC, on-premises and air-gapped options. |
| Backup | Backup and disaster recovery on NOVA Cloud: within the managed in-Kingdom infrastructure. |
Found a vulnerability? Talk to us first
Our responsible-disclosure policy is simple: we welcome reports from security researchers and handle them seriously and fast.
- Send the details and reproduction steps to [email protected].
- We confirm receipt of the report and keep you updated on its status through to closure.
- Give us a reasonable window to fix before any public disclosure, and do not access data that isn't yours while researching.
- Good-faith research within these rules will face no action from us: that is our published policy.
We do not currently run a paid bounty program; if we ever launch one, you will find it announced on this page.
What security teams ask first
In transit with TLS 1.3, and at rest with AES-256 on NOVA Cloud. In private-cloud (VPC) deployments, the encryption keys are owned and fully managed by you.
Granular permissions at the action and data level: every user and AI agent operates within explicit boundaries defining what it can read and what it can execute. Anything beyond the boundary escalates to human approval, and every action is recorded in the audit trail.
On NOVA Cloud inside Saudi data centers by default. Deployment options also include your own private cloud (VPC) or fully on-premises in your data center: including air-gapped environments isolated from the internet.
Email [email protected] with the details and reproduction steps. We confirm receipt and keep you updated through to the fix: and our policy is that good-faith security research within the responsible-disclosure rules will face no action from us.
Test the controls yourself.
A live demo that answers your security team's questions on your own scenarios: or start free and inspect the platform directly.