Trust Center

How Novana protects your data, ensures compliance, and earns the trust schools place in us.

Overview

How we protect your data.

Schools trust Novana with sensitive student information, accreditation evidence, and the day-to-day operations that shape a child's education. The principles, practices, and contractual safeguards below are how we earn that trust.

You own your data. We process it only as you direct, under a DPA that covers GDPR, FERPA, COPPA, CCPA, and APPI obligations.

How we handle your data

Data Residency & Storage

All customer data sits on cloud infrastructure hosted in Japan. The application runs on serverless compute co-located in the same region, and our managed database is also in Japan. Authentication and analytics operate from the USA but never store your evidence or student data.

Encryption

Every connection to Novana is encrypted with TLS 1.2+. Data at rest, in both our database and file storage, is encrypted with AES-256.

Your Role as Data Controller

You own your data. Under our Data Processing Addendum, your school is the Controller and Novana is the Processor. We process personal data only as you direct. Nothing more, nothing less.

PII Reduction Before AI Processing

Multi-layered detection identifies and redacts personally identifiable information to minimize PII exposure before content reaches an AI provider. While no automated system can guarantee complete detection, our approach catches the vast majority of PII. AI providers process content in the moment and never retain it.

Data Subject Rights

If a parent or staff member asks about their data, we help you respond. We support access, rectification, erasure, portability, and restriction of processing requests. If someone contacts us directly, we'll notify you promptly and work with you to fulfill the request.

Data Retention & Deletion

During your contract, we honor active deletion requests promptly, typically within days. After contract termination, all customer data is purged from production systems within 90 days. You can request a full data export at any time during the agreement.

International Transfers

For transfers from the EEA or UK, we use EU Standard Contractual Clauses (Module Two: Controller to Processor) and the UK International Data Transfer Addendum. For Japan, we comply with Article 24 of the APPI regarding cross-border transfers.

Compliance standards

GDPR

General Data Protection Regulation

Novana acts as a Processor. Your school is the Controller.

  • We process personal data only as you direct
  • EU Standard Contractual Clauses (Module Two) for international transfers
  • UK International Data Transfer Addendum supported
  • Full data subject rights: access, rectification, erasure, portability, restriction

FERPA

Family Educational Rights and Privacy Act

Novana operates as a "school official" with legitimate educational interest.

  • Education records accessed only as directed by your school
  • Student data used solely for the accreditation service
  • No disclosure to third parties except for service delivery (with PII detection and redaction applied)
  • DPA includes all FERPA-required safeguard provisions

COPPA

Children's Online Privacy Protection Act

All Novana users are school staff: adults, not children.

  • Schools provide consent under COPPA's school consent exception
  • No personal information collected directly from children
  • Student data never used for advertising or commercial purposes
  • PII detection and redaction applied before content reaches AI providers

CCPA

California Consumer Privacy Act

Novana acts as a "Service Provider" under the CCPA.

  • We do not sell or share personal data
  • Data used only to provide the contracted services
  • Consumer rights supported: access, deletion, and opt-out
  • Contractual terms include all CCPA Service Provider commitments

APPI

Act on Protection of Personal Information

Customer Content stored primarily in Japan via Google Cloud Platform and PlanetScale (Tokyo region).

  • Compliant with Article 24 for cross-border transfers
  • Appropriate safeguards for data processed by subprocessors outside Japan
  • Infrastructure-first approach to Japan data residency
  • Uploaded files, evidence data, and AI analysis all stored in-region

Frequently asked

Does Novana use our data to train AI models?

No, and we've made sure our contracts with every AI provider (OpenAI and Google AI) say the same thing. Your content is processed in the moment and discarded immediately. No provider retains it, and none can use it for training.

Who at Novana can access our school's data?

Only authorized engineering personnel, on a least-privilege basis. Direct database access requires explicit approval, and multi-factor authentication is enforced for all staff. We log all access to customer data. Nobody on our team can casually browse your evidence.

What happens to our data if we cancel?

You can request a full data export at any time during your contract. After termination, all customer data (files, evidence, AI-generated analysis) is purged from production systems within 90 days. If you need your data deleted sooner, we'll accommodate that.

Do you have a DPA we can sign?

Yes. Our Data Processing Addendum covers GDPR, FERPA, COPPA, and CCPA obligations and is available for all customers. It includes Standard Contractual Clauses for international transfers and all required safeguard provisions. Contact us at security@novana.io to get started.

What happens if there's a security breach?

We notify affected customers within 72 hours. The notification covers what happened, which data categories were affected, what we've done to contain it, and what steps you should take. No legalese stalling: you'll hear from us directly.

Can we export our data?

Yes. You can request a full export of your evidence, files, and AI-generated analysis at any time during your contract. We provide data in standard formats so you're never locked in.

Which AI providers process our data?

We currently work with OpenAI and Google AI. Both have signed zero-retention agreements: your content is processed in the moment, never stored, and never used for training. A full list with locations and transfer mechanisms is on our Subprocessors page.

Can students access Novana directly?

No. Novana is used exclusively by school staff: administrators, teachers, and accreditation coordinators. Students never interact with the platform. Schools may upload documents containing student information as accreditation evidence, but that content is processed through our PII detection and redaction pipeline before it reaches any AI provider.

Talk to us

Questions? Concerns?
Ask us anything.

Whether it's a security question, a compliance requirement, or something that doesn't fit neatly into a category, we're here to help. No question is too small.

Contact security@novana.io

or just connie@novana.io