Security

Your business data is safe with us.

NovaBiz OS handles sensitive financial data. Here is exactly how we protect your information — no marketing language, just specifics.

Security architecture

Six layers of protection.

🔒
Read-only bank connections

All bank connections are established through Plaid with read-only access. NovaBiz can never initiate transactions, move money, or modify account settings. We can only read transaction data.

🔐
AES-256 encryption at rest

All data stored on NovaBiz servers is encrypted using AES-256, the same standard used by major financial institutions. Encryption keys are rotated quarterly.

🛡️
TLS 1.3 in transit

All data transmitted between your browser, our servers, and third-party integrations is protected by TLS 1.3. We do not support older, less secure protocol versions.

📋
Errors & omissions insurance

NovaBiz carries E&O insurance covering all AI-executed financial actions. Every transaction has a complete audit log with timestamps, action taken, and the data used to make the decision.

SOC 2 Type II (Enterprise)

Enterprise plan customers receive SOC 2 Type II audit reports on request, documenting our security controls and their effectiveness across a 12-month audit period.

⚙️
Approval thresholds

No AI action above your set threshold executes without your explicit approval in CommandInbox. You define what NovaBiz can do autonomously — you are always in control.

Data retention & your rights.

Your data belongs to you. Export everything at any time in CSV, JSON, or QuickBooks format from Settings → Export. If you cancel, your data remains accessible for 90 days, then is permanently deleted. We do not sell, share, or use your business data to train AI models for other customers without explicit consent.

Retention periods

Active accounts: duration + 7 years (tax compliance)
Financial records: 7 years (IRS requirements)
Support communications: 3 years
After cancellation: 90-day export window

Your rights

Access: request a copy of all data we hold
Correction: request correction of inaccurate data
Deletion: request permanent deletion
Portability: receive data in machine-readable format

Reporting a security issue.

If you discover a security vulnerability, email [email protected]. We investigate all reports within 24 hours and notify affected customers if any data is at risk. We have a responsible disclosure policy and will not pursue legal action against good-faith security researchers.

[email protected]
<