Security and Compliance
Learn about Novu security certifications, compliance standards, data residency, and privacy policies
How to Request SOC and ISO Reports
You can access our compliance reports and certifications directly from our Trust Center at trust.novu.co. The Trust Center provides self-service access to:
- SOC 2 Type II report
- ISO 27001 certification
- HIPAA compliance documentation
- Security policies and procedures
- Live compliance controls status
Simply visit trust.novu.co to request and download any security documentation you need.
Compliance Certifications
SOC 2 Type II
Novu Cloud is SOC 2 Type II compliant. We have completed penetration tests, security training, evidence collection, and follow secure development lifecycle (SDL) practices. You can see live control updates on our Trust Center.
ISO 27001
Novu Cloud is ISO 27001 compliant. We have completed both Stage 1 and Stage 2 audits and fully defined ISMS requirements. This includes:
- Creating comprehensive organization processes
- Defining organization risk assessment policies
- Building Incident Response & Disaster Recovery plans
HIPAA
Novu Cloud is HIPAA compliant and we offer Business Associate Agreements (BAA) for customers who require them. This enables healthcare organizations and their partners to use Novu while maintaining compliance with healthcare data protection requirements.
GDPR
Yes, Novu is fully GDPR compliant. You can see the complete compliance report on our Trust Center. Novu provides separate data residency options in both the EU and the US to support your compliance needs.
Data Residency
Available Regions
Novu Cloud is available in the following regions:
| Region | Location |
|---|---|
| US | Virginia, United States |
| EU | Frankfurt, Germany |
| UK | United Kingdom |
| Singapore | Singapore |
| Australia | Australia |
| Japan | Japan |
| South Korea | South Korea |
As part of our GDPR compliance, you can choose which region your data resides in when creating your account. Enterprise regions (UK, Singapore, Australia, Japan, South Korea) are available on enterprise plans.
Switching Regions
To maintain data residency integrity, we cannot copy or move data between data warehouses in different regions. If you need to switch regions, please contact us at [email protected] to discuss your options.
Self-Hosted and Hybrid Options
- Open Source: You control where your data is stored
- Novu Hybrid-Cloud: We help you deploy within your selected network infrastructure
Data Storage and Retention
By default, data is stored using the following retention periods:
| Data Type | Free | Pro | Team | Enterprise |
|---|---|---|---|---|
| Activity Feed Logs | 24 hrs | 7 days | 90 days | Custom |
| Inbox Messages | 30 days | 90 days | 90 days | Custom |
| Other Messages | 30 days | 90 days | 90 days | Custom |
If you need to delete specific data or information, reach out to us at [email protected].
Regulatory and PII Concerns
We regularly work with large enterprises and are happy to provide guidance on various compliance requirements. Our compliance reports and certifications are available through our Trust Center to help ease your security and legal team's review process.
If you have specific concerns about PII, you have several options:
- Use our open source version for full control
- Choose the Novu Hybrid-Cloud enterprise plan
- Contact us at [email protected], [email protected], or via Discord
Reporting Security Vulnerabilities
We are committed to our users' data security and highly appreciate responsible disclosure of security vulnerabilities. To report a security issue:
- Submit a GitHub security advisory
- Email us at [email protected]