Security
Last updated: July 11, 2026
This page describes the technical and organizational measures used to protect your data, agents, and applications on Novo North.
1. Infrastructure and Isolation
Organization isolation. Each Organization's data is logically isolated. Users in one Organization cannot access another Organization's data, agents, conversations, or files.
Agent compute isolation. Agent workloads run on managed, isolated cloud compute, separated from other agents and other Organizations.
Edge deployment. The Service is deployed on a global edge network for low-latency access and high availability.
2. Data Encryption
In transit. All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. Internal service-to-service communication is also encrypted.
At rest. All stored data — including databases, file uploads, and backups — is encrypted using AES-256 encryption.
Backups. Database backups are encrypted and stored securely by our infrastructure provider.
3. Access Controls
Row-level security. Database access is enforced through row-level security (RLS) policies that ensure users can only access data within their own Organization.
Scoped authentication. Authentication tokens are scoped to specific resources and expire automatically. Agent tokens, application tokens, and user sessions each have distinct scopes and lifetimes.
Role-based access. Organization members have defined roles (owner, member) with appropriate permission boundaries.
Secure by default. All API endpoints require authentication by default. New endpoints are secure unless explicitly configured otherwise.
4. Network and Application Security
Outbound request controls. Requests made on behalf of agents to external services are validated against controls that block access to internal infrastructure.
Rate limiting. API endpoints are rate-limited to prevent abuse and protect service availability.
Input validation. File uploads and file access paths are validated against common attack patterns, and files matching sensitive credential patterns are blocked from agent-reachable surfaces.
Database access controls. Agent database operations run under restricted, least-privilege roles, with additional query-level controls on destructive operations.
5. AI Safety and Governance
No model training by Novo North. We do not use Customer Data to train or improve models that we develop or fine-tune. AI subprocessors process Customer Data under provider-specific business/API terms summarized in our Privacy Policy.
Bounded agent actions. Agents operate within defined permission boundaries. Agent capabilities are configured by authorized users and enforced at the platform level.
Browser automation controls. Agents interact with external websites through a managed browser environment. Access to authenticated services requires a login session you have previously established, and consequential browser actions can be gated behind your approval.
Activity logging. Agent conversations and tool actions are recorded as durable events, and security-relevant administrative events are captured in an append-only audit log available to workspace owners.
6. Compliance and Privacy
Telemetry without advertising tracking. We use product analytics and operational telemetry to operate the Service, diagnose reliability issues, and manage feature rollout. Session replay starts disabled and is not started for workspaces with strict data handling enabled. We do not use advertising cookies, tracking pixels, or targeted-advertising technology.
Security headers. The Service enforces industry-standard security headers including HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), and restrictive Permissions-Policy.
Compliance. Our security program is built around industry-standard frameworks such as SOC 2. Contact us for our current security documentation, questionnaire responses, and compliance roadmap.
Data Processing Agreement. Contact to discuss data processing requirements.
Responsible disclosure. If you discover a security vulnerability, please report it to . We appreciate responsible disclosure and will work with you to address any issues promptly.