Nover | Security

Security Policy

Last Updated: February 5, 2026 Effective Date: February 5, 2026 Version 1.0

Quick Summary

We implement industry-standard security measures including encryption, 2FA, and regular audits.

We have a documented incident response plan with GDPR-compliant breach notification (72 hours).

While we use commercially reasonable security practices, no system is 100% secure.

To report a security vulnerability, contact <legal@nover.studio>.

This summary is for convenience only and is not legally binding. Please read the full Policy below.

## Table of Contents 1. [Our Security Commitment](#1-our-security-commitment) 2. [Infrastructure Security](#2-infrastructure-security) 3. [Authentication and Access Control](#3-authentication-and-access-control) 4. [Data Protection and Encryption](#4-data-protection-and-encryption) 5. [Application Security](#5-application-security) 6. [Security Audits and Monitoring](#6-security-audits-and-monitoring) 7. [Incident Response Plan](#7-incident-response-plan) 8. [Data Breach Notification Procedure](#8-data-breach-notification-procedure) 9. [Third-Party Security](#9-third-party-security) 10. [Vulnerability Reporting](#10-vulnerability-reporting) 11. [Your Role in Security](#11-your-role-in-security) 12. [Compliance](#12-compliance) 13. [Limitations](#13-limitations) 14. [Changes to This Security Policy](#14-changes-to-this-security-policy) 15. [Contact Information](#15-contact-information)

## 1. Our Security Commitment At Nover, we take the security of your data and our platform seriously. We implement commercially reasonable technical and organizational measures to protect the confidentiality, integrity, and availability of our systems and your information. This Security Policy describes the measures we take to protect the Nover platform at nover.studio (the "**Service**") and your data. It should be read together with our [Privacy Policy](/legal/privacy), [Terms of Service](/legal/terms), and [DMCA Policy](/legal/dmca). **Important:** While we strive to maintain a high level of security, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data. See Section 13 for our full limitations disclosure.

## 2. Infrastructure Security ### 2.1 Hosting | Component | Provider | Security Notes | |---|---|---| | **Database and Authentication** | Supabase (EU region) | Managed PostgreSQL with automated backups, encryption at rest, SOC 2 Type II compliant infrastructure | | **Web Hosting** | Vercel and Netlify | Global CDN with DDoS protection, automated SSL/TLS | | **Payment Processing** | Stripe | PCI DSS Level 1 compliant (the highest level of payment security certification) | | **AI Generation** | Runware.ai | API-based, no persistent user data storage on our end | ### 2.2 Network Security - All traffic is served over **HTTPS** with modern TLS (Transport Layer Security) protocols. - We enforce HSTS (HTTP Strict Transport Security) headers. - Our hosting providers implement DDoS mitigation at the network level. - DNS is managed through dedicated providers with DNSSEC support.

## 3. Authentication and Access Control ### 3.1 User Authentication - **Email and Password** — Passwords are securely hashed and encrypted by Supabase. We never store passwords in plain text. - **OAuth (Social Login)** — Users may authenticate via OAuth providers (such as Google or GitHub) through Supabase's authentication service. - **Two-Factor Authentication (2FA/MFA)** — Available to all users. We strongly recommend enabling 2FA for enhanced account security. - **Session Management** — Authentication sessions are managed securely with time-limited tokens and encrypted cookies. ### 3.2 Administrative Access - Administrative access to Nover's internal systems is restricted to authorized personnel only. - Admin accounts are protected by multi-factor authentication (MFA). - We follow the principle of least privilege — team members only have access to the systems and data necessary for their role.

## 4. Data Protection and Encryption ### 4.1 Encryption in Transit All data transmitted between your browser and our servers, and between our servers and third-party services, is encrypted using **HTTPS/TLS**. This protects your data from interception during transmission. ### 4.2 Encryption at Rest Data stored in our primary database (Supabase) is **encrypted at rest** using industry-standard encryption methods. This includes: - Account and profile information - Authentication credentials (hashed passwords, OAuth tokens) - Session data ### 4.3 Payment Security Payment information is processed entirely by **Stripe**, which is **PCI DSS Level 1 compliant** — the most rigorous level of certification in the payment industry. We do not store, process, or transmit credit card numbers, CVVs, or full card details on our systems. ### 4.4 What We Do Not Store As of the effective date of this Policy: - We do not store your text prompts or generation parameters in our database. - We do not store generated images or videos in our own infrastructure (they are hosted as URLs by Runware.ai). - We do not store payment card details (handled entirely by Stripe).

## 5. Application Security ### 5.1 Secure Development - We follow secure coding practices during development. - We perform code reviews before deploying changes to production. - We use modern frameworks and libraries that incorporate built-in security features. ### 5.2 Authentication Checks Every authenticated request to our platform is verified against the user's session. If authentication fails, the user is immediately logged out and must re-authenticate. ### 5.3 Input Validation We validate and sanitize user inputs to protect against common web vulnerabilities including cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF).

## 6. Security Audits and Monitoring ### 6.1 Regular Audits We conduct periodic internal security reviews and assessments of our infrastructure and application code. These reviews help us identify and address potential vulnerabilities before they can be exploited. We may engage third-party security auditors in the future as our organization grows. ### 6.2 Monitoring We rely on built-in logging and monitoring capabilities provided by our infrastructure providers (Vercel and Supabase) to detect unusual activity and potential security incidents. We may implement dedicated monitoring and error tracking services in the future to further enhance our security posture. ### 6.3 Automated Backups Supabase provides automated database backups as part of their managed service. These backups help ensure data availability and support recovery in the event of a system failure.

## 7. Incident Response Plan We maintain a documented incident response plan to address security incidents promptly and effectively. Our plan follows industry best practices and includes the following phases: ### Phase 1: Containment (First Hour) **Objective:** Stop the incident and prevent further damage. Actions: - Identify and isolate affected systems. - Rotate compromised keys, tokens, and credentials (Supabase keys, API keys, JWT secrets). - Revoke suspicious sessions. - Temporarily disable affected integrations. - Force MFA and password resets on administrative accounts. - Preserve all available evidence: authentication logs, database logs, edge logs, and timestamps. - Open an incident ticket with a severity classification. ### Phase 2: Assessment (First 24 Hours) **Objective:** Determine the scope and impact of the incident. Actions: - Identify what data types were involved (PII, uploads, tokens, payment metadata). - Determine the number of affected users and their geographic regions (EU, UK, California, other). - Assess whether data was encrypted or unencrypted at the time of the incident. - Evaluate the risk to affected individuals (account takeover, identity exposure, financial harm). - Notify Stripe if the incident involves data related to Stripe services. ### Phase 3: Notification (Within 72 Hours) **Objective:** Fulfill regulatory notification obligations. Actions: - If the incident is a personal data breach likely to result in risk to individuals, notify the relevant supervisory authority within 72 hours of becoming aware (GDPR requirement). - Prepare incident notification with all required details (see Section 8). - If full details are not yet available, provide initial notification and update as more information becomes available. ### Phase 4: User Notification **Objective:** Inform affected individuals and provide guidance. Actions: - If the breach poses a high risk to individuals, notify affected users without undue delay. - Provide clear, plain-language information about what happened, what data was involved, and what steps users should take. - For California residents, provide notification as required by applicable state breach notification laws. - See Section 8 for the full notification procedure. ### Phase 5: Post-Incident (7–14 Days) **Objective:** Remediate, learn, and prevent recurrence. Actions: - Conduct a full root cause analysis (RCA) and written postmortem. - Patch vulnerabilities and harden security controls. - Rotate all credentials again if warranted. - Review vendor exposure (Supabase, Vercel, Stripe, Runware.ai, etc.). - Update internal policies and procedures as needed. - Document lessons learned.

## 8. Data Breach Notification Procedure ### 8.1 When We Notify We will issue notifications in the event of a confirmed personal data breach — defined as the unauthorized access to, disclosure of, or loss of personal data that poses a risk to individuals' rights and freedoms. This includes: - Unauthorized access to user accounts or administrative systems. - Export or leakage of personal data (emails, IP addresses, uploads, prompts tied to identities, billing identifiers, authentication tokens). - Malicious modification or deletion that affects data integrity or availability. ### 8.2 Regulator Notification | Regulation | Timeframe | Requirement | |---|---|---| | **GDPR (EU/UK)** | Within **72 hours** | Notify the relevant supervisory authority of breaches likely to result in risk to individuals | | **CCPA (California)** | As required by law | Notify affected California residents as required by applicable state breach notification laws | | **Other US States** | Varies by state | Notify affected residents per applicable state breach notification laws | ### 8.3 What Our Notifications Include Regulatory notifications: - Description of what happened (high level) - When we became aware and the timeline of events - Categories of data affected - Approximate number of affected users - Likely consequences and risks - Mitigation steps taken - Contact point for follow-up User notifications: - What happened (in plain language) - What information was involved - What we have done to address the breach - What you should do (reset password, enable 2FA, watch for phishing) - How to contact us for more information ### 8.4 Stripe Notification If a breach involves personal data associated with Stripe services (payment data, billing identifiers), we will notify Stripe promptly in accordance with Stripe's data protection requirements.

## 9. Third-Party Security ### 9.1 Sub-Processor Security Our Service relies on third-party providers. We select providers that maintain appropriate security measures: | Provider | Key Security Measures | |---|---| | **Supabase** | SOC 2 Type II, encryption at rest and in transit, automated backups, EU data residency | | **Stripe** | PCI DSS Level 1, SOC 1 and SOC 2, end-to-end encryption | | **Vercel** | SOC 2 Type II, DDoS protection, automated SSL, global edge network | | **Netlify** | SOC 2 Type II, automated SSL, DDoS protection | | **Runware.ai** | API-based processing under their standard terms | ### 9.2 Shared Responsibility While we select our providers carefully, each third-party service maintains its own security practices and certifications. We are not responsible for security incidents that originate at or are caused by our third-party providers. We will use commercially reasonable efforts to work with affected providers to resolve any such incidents. ### 9.3 No DPA with Runware.ai As of the effective date of this Policy, we do not have a formal Data Processing Agreement (DPA) with Runware.ai. Your prompts are processed through their API under their standard terms of service. We encourage you to review Runware.ai's privacy and security practices.

## 10. Vulnerability Reporting ### 10.1 Responsible Disclosure If you discover a potential security vulnerability in the Nover platform, we encourage you to report it to us responsibly. We appreciate the security community's efforts to help us keep our users safe. ### 10.2 How to Report - **Email:** <legal@nover.studio> - **Subject Line:** Security Vulnerability Report — [Brief Description] When reporting a vulnerability, please include: 1. A clear description of the vulnerability and its potential impact. 2. Detailed steps to reproduce the issue. 3. Any proof-of-concept code, screenshots, or other supporting evidence. 4. Your contact information for follow-up. ### 10.3 Our Commitment When you report a vulnerability responsibly: - We will acknowledge receipt of your report within **5 business days**. - We will investigate the reported vulnerability and keep you informed of our progress. - We will use commercially reasonable efforts to address confirmed vulnerabilities in a timely manner. - We will not take legal action against individuals who discover and report vulnerabilities in good faith and in accordance with this policy. ### 10.4 Scope Responsible disclosure applies to vulnerabilities in the Nover platform (nover.studio). It does not extend to third-party services, social engineering attacks, denial-of-service attacks, or physical security. Please do not access, modify, or delete other users' data during your research. ### 10.5 Bug Bounty We do not currently operate a formal bug bounty program. We may recognize significant vulnerability reports at our discretion.

## 11. Your Role in Security Security is a shared responsibility. We recommend the following practices to protect your account: 1. **Enable two-factor authentication (2FA).** This significantly reduces the risk of unauthorized account access. 2. **Use a strong, unique password.** Do not reuse passwords from other services. 3. **Keep your credentials confidential.** Never share your password or account access with others. 4. **Monitor your account.** Review your account activity and generation history regularly. 5. **Report suspicious activity.** If you notice unauthorized activity on your account, contact us immediately at <legal@nover.studio>. 6. **Keep your devices secure.** Use up-to-date software, operating systems, and antivirus protection. 7. **Be cautious with generated content.** Remember that generated images are delivered as publicly accessible URLs. Do not generate sensitive or private content. See our [Privacy Policy](/legal/privacy) Section 8.

## 12. Compliance ### 12.1 Current Compliance | Standard | Status | |---|---| | **GDPR** | We strive to comply with GDPR requirements, including data minimization, encryption, breach notification, and user rights. Our primary data is stored in the EU. | | **CCPA/CPRA** | We strive to comply with California privacy requirements. We do not sell personal data. | | **PCI DSS** | Payment processing is handled by Stripe, which is PCI DSS Level 1 compliant. We do not store card data. | ### 12.2 Certifications As of the effective date of this Policy, Nover does not hold SOC 2, ISO 27001, or other formal security certifications. We rely on the certifications and security practices of our infrastructure providers (Supabase, Stripe, Vercel, Netlify). We may pursue certifications in the future as our organization grows. ### 12.3 No Data Protection Officer We have not yet appointed a Data Protection Officer (DPO). For all data protection and security inquiries, please contact <legal@nover.studio>.

## 13. Limitations While we implement commercially reasonable security measures to protect the Service and your data, **we cannot and do not guarantee:** - That the Service will be immune from security breaches or attacks. - That your data will never be accessed, disclosed, altered, or destroyed through a security incident. - That our security measures will prevent all unauthorized access or data loss. - That third-party service providers will maintain uninterrupted security. - Specific response times for security incidents or vulnerability reports. No system connected to the internet is 100% secure. By using the Service, you acknowledge and accept these inherent risks. For the full limitation of liability, see our [Terms of Service](/legal/terms) Section 19.

## 14. Changes to This Security Policy We may update this Security Policy from time to time to reflect changes in our security practices, technology, or legal requirements. When we make material changes, we will: 1. Update the "Last Updated" date at the top of this Policy. 2. Notify users via email at least **30 days** before changes take effect. Your continued use of the Service after the updated Policy takes effect constitutes your acceptance of the revised Policy.

## 15. Contact Information For security inquiries, vulnerability reports, or data breach concerns: - **Security and Privacy:** <legal@nover.studio> - **General Support:** <support@nover.studio> **Nover, Inc.** A Delaware C-Corporation --- **Related Documents:** - [Terms of Service](/legal/terms) - [Privacy Policy](/legal/privacy) - [DMCA Policy](/legal/dmca) --- **Previous Versions:** None — this is Version 1.0.