docs/platform/additional-resources/security.mdx
You can access our compliance reports and certifications directly from our Trust Center at trust.novu.co. The Trust Center provides self-service access to:
Simply visit trust.novu.co to request and download any security documentation you need.
Novu Cloud is SOC 2 Type II compliant. We have completed penetration tests, security training, evidence collection, and follow secure development lifecycle (SDL) practices. You can see live control updates on our Trust Center.
Novu Cloud is ISO 27001 compliant. We have completed both Stage 1 and Stage 2 audits and fully defined ISMS requirements. This includes:
Novu Cloud is HIPAA compliant and we offer Business Associate Agreements (BAA) for customers who require them. This enables healthcare organizations and their partners to use Novu while maintaining compliance with healthcare data protection requirements.
Yes, Novu is fully GDPR compliant. You can see the complete compliance report on our Trust Center. Novu provides separate data residency options in both the EU and the US to support your compliance needs.
Novu Cloud customers can download our Data Processing Agreement (DPA) and Standard Contractual Clauses (SCC) template at novu.co/dpa.
Novu Cloud is available in the following regions:
| Region | Location |
|---|---|
| US | Virginia, United States |
| EU | Frankfurt, Germany |
| UK | United Kingdom |
| Singapore | Singapore |
| Australia | Australia |
| Japan | Japan |
| South Korea | South Korea |
As part of our GDPR compliance, you can choose which region your data resides in when creating your account. Enterprise regions (UK, Singapore, Australia, Japan, South Korea) are available on enterprise plans.
Each region has its own API and WebSocket hostnames. Use the pair that matches the region you selected at signup:
| Region | API base URL | WebSocket URL |
|---|---|---|
| US (default) | https://api.novu.co/v1 | wss://ws.novu.co |
| EU | https://eu.api.novu.co/v1 | wss://eu.socket.novu.co |
For Inbox setup, see EU region configuration.
To maintain data residency integrity, we cannot copy or move data between data warehouses in different regions. If you need to switch regions, please contact us at [email protected] to discuss your options.
By default, data is stored using the following retention periods:
| Data Type | Free | Pro | Team | Enterprise |
|---|---|---|---|---|
| Activity Feed Logs | 24 hrs | 7 days | 90 days | Custom |
| Inbox Messages | 30 days | 90 days | 90 days | Custom |
| Other Messages | 30 days | 90 days | 90 days | Custom |
If you need to delete specific data or information, reach out to us at [email protected].
We regularly work with large enterprises and are happy to provide guidance on various compliance requirements. Our compliance reports and certifications are available through our Trust Center to help ease your security and legal team's review process.
If you have specific concerns about PII, you have several options:
We are committed to our users' data security and highly appreciate responsible disclosure of security vulnerabilities. To report a security issue: