Skip to main content
← Back to Nova

Security

Last updated May 3, 2026 · Nova Companion LLC

Nova’s promise

  • Your data lives behind locks at every layer. Authentication on every request. Row-level security on every user table. AES-256-GCM encryption on the credentials Nova holds for connected services. TLS in transit, end to end.
  • We treat security findings the way we treat bugs — quickly and openly. If you find one, tell us. We’ll thank you and fix it.
  • We never sell your data. We never run ads against your conversations. We never broker your information to third parties.
  • When you delete your account, we actually delete your data — from every database, every memory store, every uploaded file.
  • The Void is sealed. What you scream into the Void is never stored, never logged, never remembered. It disappears.

Reporting a vulnerability

If you believe you’ve found a security issue in Nova, email colinpassman5@gmail.com. We acknowledge reports within 48 hours and keep you informed while we triage and remediate.

Please test only against your own accounts. Please give us reasonable time to fix issues before public disclosure. We don’t take legal action against researchers who follow these guidelines.

How we triage

Every report is classified by severity (P0 critical, P1 high, P2 medium, P3 informational). We patch P0 and P1 within 7 days and keep you in the loop the whole way. We credit researchers in the acknowledgments section below unless you ask to remain anonymous.

How Nova is built

  • Authentication: Supabase Auth with email verification and PKCE. Multi-factor authentication is enforced on Nova’s administrative accounts and supported for any user who chooses to enroll.
  • Authorization: Row-level security on every user table. Server-side admin gating for privileged routes. Token revocation for embedded tenant sessions.
  • Encryption at rest: AES-256-GCM on OAuth tokens for connected services (Google, Spotify, Plaid). Postgres encryption at the platform layer.
  • Encryption in transit: TLS via Vercel on every connection.
  • Boundary protection: Strict Content Security Policy with per-request nonces, HSTS preload, SSRF protection on every external fetch.
  • Monitoring: Synthetic health checks across every critical dependency every 15 minutes. Sentry on every code path that can fail.
  • Storage isolation: Memory vectors live in per-user namespaces. Even at the infrastructure layer, your memories are walled off from anyone else’s.
  • Audit log: Every administrative action lands in an immutable log. Even Nova’s owner cannot retroactively edit it.

SOC 2 readiness

Nova is in active SOC 2 Type 1 readiness. Our control documentation, risk register, vendor inventory, and operational runbooks are maintained internally and available to enterprise prospects under NDA.

Data deletion

You can delete your Nova account and all associated data from your profile settings. Account deletion removes your authentication record, conversation history, memory vectors, journal entries, and OAuth tokens.

Vendors and subprocessors

Nova runs on a curated set of infrastructure and AI vendors. The complete list — vendor by vendor, what each one sees, where they’re hosted, what they’re attested against — is published at /subprocessors. The major load-bearing vendors are Vercel, Supabase, Upstash, Stripe, Sentry, Anthropic, OpenAI, and Google Cloud — all SOC 2 Type 2 attested.

Acknowledgments

We’ll list researchers who have responsibly disclosed issues to us here. Be the first.