Security Overview

1. Our approach

Nova System operates Meridian on globally distributed cloud infrastructure run by reputable third-party providers. We follow a defence-in-depth approach: multiple layers of controls so that no single failure compromises the security of customer data. We do not publish low-level implementation details that would be useful to attackers; this page summarizes the controls customers most often need to assess.

2. Encryption

• In transit — all traffic to the platform is encrypted using current industry-standard TLS. Older TLS versions are not accepted. HTTP Strict Transport Security is enforced on all production hostnames.
• At rest — customer data is encrypted at rest using authenticated encryption with keys managed by our key-management provider. Key rotation is performed on a defined schedule and on incident.
• Field-level encryption — selected high-sensitivity fields receive additional application-layer encryption with separate keys.
• Backups — backups are encrypted at rest and during transfer.
• Mobile cache — Aurora uses platform-provided secure storage for cached data and credentials.

3. Identity and access

• Strong password policies, with multi-factor authentication required for privileged roles.
• Single sign-on supported for eligible plans.
• Role-based access controls and least-privilege defaults.
• Session controls: idle timeout, device fingerprinting, anomaly detection, forced re-authentication on sensitive actions.
• Periodic access reviews for Nova System personnel; immediate revocation on role change or departure.

4. Network and infrastructure

• Production network is segmented from corporate and pre-production environments.
• Default-deny ingress, with allow-listing limited to what the Service requires.
• Distributed denial-of-service mitigation and a web application firewall at the edge.
• Rate limiting and bot management on public surfaces.
• Hardened images and immutable infrastructure where supported.

5. Application security

• Secure software development lifecycle with code review for all changes that affect production.
• Static analysis, dependency scanning, and secret scanning integrated into our build pipeline.
• Threat modelling and design review for material new features.
• Coordinated vulnerability disclosure process; report findings to security@thenovasystem.com.
• Bug bounty program for in-scope assets where applicable; please coordinate with us before testing.

6. Logging, monitoring, and audit

• Security-relevant events are logged centrally with integrity protection.
• Alerts trigger on anomalous events and known attack patterns; on-call coverage twenty-four hours a day.
• Customer-visible audit trails are available for administrative actions inside the platform.
• Audit-log retention aligned to compliance requirements.

7. Vulnerability management

• Scheduled patching with expedited response for critical CVEs.
• Dependency updates governed by automated tooling and review.
• Periodic external testing by qualified independent assessors.

8. Personnel security

• Background checks where lawful; confidentiality undertakings signed at onboarding.
• Mandatory security and privacy training, with refreshers.
• Role-specific training for engineering, support, and customer-success staff.
• Documented off-boarding that revokes access and recovers assets.

9. Vendor and sub-processor governance

We perform diligence on sub-processors, contractually require flow-down obligations, and review them periodically. The current sub-processor list is at /legal/sub-processors. Where required by law, additions follow the advance-notice and objection process in the DPA.

10. Resilience, backups, and disaster recovery

• Data is replicated across availability zones for resilience.
• Encrypted backups are retained on a defined schedule and tested through periodic restores.
• Documented business continuity and disaster recovery plans aligned to defined recovery objectives.

11. Incident response

We maintain documented incident-response runbooks. On confirmation of a Personal Data Breach affecting a customer, we notify the customer without undue delay as set out in the DPA. The notification will, as it becomes known, describe the nature of the incident, the categories and approximate number of records affected, and the measures taken or proposed. Customers may report suspected incidents at security@thenovasystem.com.

12. Mobile and endpoint considerations

• Aurora and Polaris rely on platform-provided security features (secure enclave, code signing, sandbox).
• Biometric unlock is available where supported by the device.
• Remote sign-out by an administrator is supported.
• Sensitive actions require recent re-authentication.

13. Data handling principles

• Data minimization — we collect only what we need to operate the Service.
• Purpose limitation — we use customer data to deliver and improve the Service, with the restrictions described in the Privacy Policy and DPA.
• No training on customer data — we do not train any model on customer data without explicit opt-in or irreversible de-identification.
• Retention — defined retention schedules, with secure deletion at end-of-life.

14. Compliance attestations

See the Compliance Attestations page for current attestation status and the regulatory frameworks we align with.

15. Reporting security issues

To report a vulnerability or suspected incident, email security@thenovasystem.com with reproduction steps and impact. We will acknowledge within one business day. Please give us reasonable time to remediate before public disclosure.

16. Contact

Security questions: security@thenovasystem.com. Privacy questions: privacy@thenovasystem.com.