Security you can hand straight to your DPO.
Nova runs your service desk, so your data, your residency obligations and your team’s access all have to stand up to scrutiny. Here is exactly how they do, documented so your data protection team can sign it off without a meeting.
UK-hosted by default, and we’ll give you the evidence.
Every piece of customer data Nova holds is stored in a UK region, with no cross-border transfers and no ambiguity about jurisdiction. We run on managed cloud infrastructure in the UK, with your data held in a managed PostgreSQL database under per-organisation isolation. We’d rather show you than tell you. Ask for our hosting and data-flow summary and we’ll send the version your information governance team actually needs.
Your data never leaves the UK.
Locked down at every layer.
From the moment data leaves a browser to where it rests on disk, it's encrypted, and only the right people can ever reach it.
Encrypted in transit & at rest
All traffic to and from Nova is protected with TLS. Data in our database and backups is encrypted at rest with industry-standard AES.
Single sign-on
Sign in with Google or Microsoft. Your team uses the accounts and access policies you already govern centrally. No new passwords for you to manage or for us to store.
Role-based access
Access follows least privilege: agents, managers and admins each see only what their role requires, and access can be revoked the moment someone leaves.
Per-organisation isolation
Every customer's data is segregated at the database layer. One organisation can never see, query or reach another's information.
Your AI never trains on your data.
Public sector data can’t leave the country, or feed someone else’s model, just because a feature is clever. Nova’s AI is held to the same residency and privacy discipline as everything else we do.
Processed in the UK
AI features run through Microsoft Azure OpenAI in a UK region, so nothing crosses a border to be useful.
Used once, for you
Content sent to an AI feature produces your result and nothing more. It isn’t retained to improve the underlying models.
UK GDPR, taken seriously.
Nova is operated by a UK-registered company. We process personal data lawfully, keep only what we need, and name everyone who touches it.
You own it.
Export your data whenever you like, and we delete it on request when you leave. No hostage-taking.
We keep less.
We collect only what Nova needs, and retain it only while your account is active.
We name everyone.
Every third party that touches your data is listed in full below, not buried in a contract appendix.
Built to stay up and recover fast.
Backups only matter if they come back. Here’s what’s true of every piece of data you trust us with.
Backed up daily
Automated every 24 hours, so a bad afternoon never becomes a lost week.
Encrypted backups
Held with the same encryption as your live data, on redundant managed infrastructure.
Tested recovery
Restoring from backup is part of how we operate, not an afterthought.
Straight answers on compliance.
We’re early, and we’d rather tell you exactly where we stand than flash a badge we haven’t earned.
UK-registered & UK GDPR aligned
Operated by a UK limited company, processing personal data in line with UK GDPR.
Built to recognised controls
Encryption, access control, isolation, backups and least privilege: the principles ISO 27001 and SOC 2 are built around.
Founder-level security expertise
Our founding team includes hands-on ISO 27001 experience that shapes how we build and run Nova.
Independent certification
We’re working toward formal ISO 27001 / SOC 2 as the company matures.
Questions your security team needs answered?
Book a 30-minute call. We’ll walk your IT, procurement or information governance team through anything they need to see, with no sales pressure and no obligation.