Security
Security built into every layer.
From the cloud infrastructure that stores your data to the development practices that shape our product, we treat security as a default, not a feature. The controls below describe how we keep schools' work safe day-to-day.
Security controls
Encryption
- All data in transit encrypted with TLS 1.2+
- Data at rest encrypted with AES-256
- File storage encrypted at rest via provider-managed encryption
- Database encryption managed by cloud provider
Cloud Infrastructure
- Hosted on Google Cloud Platform and Vercel
- Customer Content stored and processed in Japan
- Managed services: no self-hosted servers to patch
- Credentials stored in platform-managed secret stores, never in code
Secure Development
- All code changes pass automated checks and manual review before deployment
- Automated testing before any deployment
- Built against the OWASP Top 10 guidelines
- Dependency scanning catches known vulnerabilities before they ship
Vulnerability Testing
- Automated security scanning on every pull request
- Third-party dependency scanning for known CVEs
- Critical issues patched within defined SLAs
- Responsible disclosure program for external researchers
People & Access
- Multi-factor authentication required for all staff
- Least-privilege access to production systems
- Security awareness training for every team member
- Permissions reviewed regularly and revoked on role changes
Incident Response
- Documented response plan with clear escalation paths
- Affected customers notified within 72 hours of a breach
- Notification includes scope, affected data, and remediation steps
- Post-mortem and remediation plan after every incident
Responsible disclosure
Found a vulnerability? Tell us.
Email security@novana.io with a description and steps to reproduce. We ask for reasonable time to investigate before public disclosure, and we credit researchers who help us keep schools' data safe.
