SSL Labs - transport-layer encryption
Run by Qualys, the industry-standard test for TLS configuration. The grade reflects cipher suites, protocol versions, certificate chain, HSTS, and known vulnerabilities. A+ requires HSTS with preload + includeSubDomains and modern TLS only.
Mozilla Observatory - web security headers
The standard test for HTTP security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy, Permissions-Policy, cookie security, redirection. A+ requires 10/10 tests passed.
How we encrypt your data
| Data type | In transit | At rest | Per-tenant isolation | Backups |
|---|---|---|---|---|
| Client documents (passports, decisions, attachments) | TLS 1.3 | AES-256 (encrypted object storage) + application-layer field encryption with rotating keys | Yes - every read query is scoped by tenant id | Continuous (30-day point-in-time recovery) |
| Database rows (clients, cases, conversations) | TLS 1.3 | AES-256 (encrypted database) | Yes - composite indexes on (tenant_id, …) + scoped queries | Continuous |
| Sessions and authentication tokens | TLS 1.3 | Signed session tokens with a rotating secret | N/A (session-scoped) | N/A (regenerated on rotation) |
| Third-party integration credentials | TLS 1.3 | Per-tenant encrypted at rest | Yes | Continuous |
| Mobile cache (Aurora iOS + Android) | TLS 1.3 | iOS Keychain + Android Keystore (platform-managed) | N/A (single-user device) | N/A (re-fetched on resume) |
| AI request & response logs (metering only - no message content) | TLS 1.3 | AES-256 (encrypted database) | Yes - tenant_id required on every write | Continuous |
What else protects your data
- Multi-tenant isolation - every database row carries a tenant id; every read query enforces it server-side. We cannot accidentally surface Firm A's data to Firm B.
- Rate limiting - every public endpoint enforces per-IP and per-tenant request limits to prevent abuse and cost amplification.
- Audit log - every administrative action, every AI call, every authentication event is logged with timestamp, actor, and IP.
- Constant-time secret comparison - all admin-token and webhook-signature checks use constant-time comparison to prevent timing attacks.
- Soft-error observability - silent failure modes write to a structured error table so we can spot anomalies without affecting the user-facing response.
- Token verification - signed session tokens with a strict algorithm allowlist, minimum-length signing secrets, and enforced expiry with bounded clock skew.
- Encryption-key rotation - a documented rotation procedure.
- Disaster recovery - monthly DR drill; 30-day point-in-time recovery.
Compliance posture
For our current compliance status (PIPEDA, BC PIPA, Quebec Law 25, GDPR, UK GDPR, CCPA, and the SOC 2 Type II readiness roadmap) see the Compliance Attestations page. For the sub-processors we use to deliver the platform, see Sub-processors. For the data-protection agreement firms sign, see the Data Processing Addendum.
Reporting a security issue
Email security@thenovasystem.com. We acknowledge within one business day and coordinate disclosure with researchers. Our security contact details are published in .well-known/security.txt per RFC 9116.