How We Protect Your Data
Data Residency & Storage
All customer data is stored on our cloud infrastructure hosted in Japan. The application runs on serverless compute co-located in the same region, and our managed database is also hosted in Japan. Authentication and analytics operate from the USA but never store your evidence or student data.
Encryption
Every connection to Novana is encrypted with TLS 1.2+. Data at rest β both in our database and file storage β is encrypted at rest with AES-256.
Your Role as Data Controller
You own your data. Under our Data Processing Addendum, your school is the Controller and Novana is the Processor. We process personal data only as you direct β nothing more, nothing less.
PII Reduction Before AI Processing
We use multi-layered detection designed to identify and redact personally identifiable information to minimize PII exposure before content reaches an AI provider. While no automated system can guarantee complete detection, our approach is designed to catch the vast majority of PII. AI providers process content in volatile memory with zero retention.
Data Subject Rights
If a parent or staff member asks about their data, we help you respond. We support access, rectification, erasure, portability, and restriction of processing requests. If someone contacts us directly, we'll notify you promptly and work with you to fulfill the request.
Data Retention & Deletion
During your contract, we honor active deletion requests promptly β typically within days. After contract termination, all customer data is purged from production systems within 90 days. You can request a full data export at any time during the agreement.
International Transfers
For transfers from the EEA or UK, we use EU Standard Contractual Clauses (Module Two: Controller to Processor) and the UK International Data Transfer Addendum. For Japan, we comply with Article 24 of the APPI regarding cross-border transfers. Transfer mechanisms are documented per-provider in our Subprocessors list.
Compliance Standards
GDPR
General Data Protection Regulation
Novana acts as a Processor. Your school is the Controller.
- We process personal data only as you direct
- EU Standard Contractual Clauses (Module Two) for international transfers
- UK International Data Transfer Addendum supported
- Full data subject rights: access, rectification, erasure, portability, restriction
FERPA
Family Educational Rights and Privacy Act
Novana operates as a "school official" with legitimate educational interest.
- Education records accessed only as directed by your school
- Student data used solely for the accreditation service
- No disclosure to third parties except for service delivery (with PII detection and redaction applied)
- DPA includes all FERPA-required safeguard provisions
COPPA
Children's Online Privacy Protection Act
All Novana users are school staff β adults, not children.
- Schools provide consent under COPPA's school consent exception
- No personal information collected directly from children
- Student data never used for advertising or commercial purposes
- PII detection and redaction applied before content reaches AI providers
CCPA
California Consumer Privacy Act
Novana acts as a "Service Provider" under the CCPA.
- We do not sell or share personal data
- Data used only to perform the contracted accreditation service
- Consumer rights supported: access, deletion, and opt-out
- Contractual terms include all CCPA Service Provider commitments
APPI
Act on Protection of Personal Information
Customer Content stored primarily in Japan via Google Cloud Platform (Tokyo region).
- Compliant with Article 24 for cross-border transfers
- Appropriate safeguards for data processed by subprocessors outside Japan
- Infrastructure-first approach to Japan data residency
- Uploaded files, evidence data, and AI analysis all stored in-region
Frequently Asked Questions
Questions? Concerns? Ask us anything.
Whether it's a security question, a compliance requirement, or something that doesn't fit neatly into a category β we're here to help. No question is too small.
security@novana.io