Nuvepro - Task Intelligence for the Enterprise
Compliance & Security

Built for the regulated enterprise. Your data stays in your tenant.

Banking, healthcare, insurance, and other regulated buyers ask four questions before any pilot: where does our data live, who can see it, what touches the model, what's the audit trail. Honest answers below — what we ship today, what's available per engagement, what's on the roadmap.

Certifications

Honest posture. What we've earned, and what's on the public roadmap.

SOC 2 Type II

Certified

Annual audit by an independent CPA firm. Covers security, availability, processing integrity, confidentiality. Report available under NDA on request.

ISO 27001

Certified

Information Security Management System certified. Statement of Applicability documenting the 93 Annex A controls available on request.

GDPR

On roadmap

Compliance roadmap in flight. Available per engagement with documented controls (data residency, DPA, data subject rights). Full certification target on the public compliance roadmap.

CCPA

On roadmap

Compliance roadmap in flight. Available per engagement with documented controls. Full certification target on the public compliance roadmap.

What ships today

Available in every tenant on day one. No add-on, no separate SKU.

Per-tenant deployment

Choose your deployment posture: Nuvepro cloud, your AWS / Azure / GCP account, or fully on-prem. Per-tenant isolation by default. Data residency selectable per tenant.

Identity and access

SSO via SAML / OIDC. Role-based access control (RBAC) per tenant. Group / role mapping from your IdP. Session policies configurable.

Encryption

TLS 1.2+ in transit. AES-256 at rest. Key management via your KMS (AWS KMS / Azure Key Vault / GCP KMS) when deployed in your cloud. Customer-managed keys (CMK) available.

LLM provider posture

Closed-LLM-in-tenant-cloud (OpenAI / Anthropic / Google through your account) or open-source-in-VPC (Llama / Qwen / Gemma). Per-tenant provider choice. Data does not leave the tenant boundary.

Configurable per engagement

Scoped during your InfoSec walkthrough. Documented in the DPA and the security questionnaire response.

Audit logging and export

Per-tenant audit log of every prompt, model output, human decision, and admin action. Retention configurable. Export to your SIEM / log warehouse available per engagement scope.

Lab security controls

Copy-paste, file upload, and file download restrictions configurable per tenant and per lab. Designed for BFSI scopes where source-system data must not exit the bank's perimeter. Lock-down modes available on request.

Sub-processor disclosure

Sub-processor list (OpenAI, Anthropic, Google, AWS, Azure, etc.) available on request as part of the DPA process. Per-tenant sub-processor selection where the LLM provider is independent of the deployment cloud.

Audit and assurance support

SOC 2 Type II and ISO 27001 reports under NDA. Customer security questionnaires (CAIQ / SIG / VSA) supported. Penetration test summary available on request.

Public compliance roadmap

What's in flight, what's planned. If a target date matters for your engagement, ask during scoping.

GDPR full certificationin progress
CCPA full certificationin progress
HIPAA-aligned controls package (for healthcare engagements)planned
FedRAMP-aligned posture (for US Federal engagements)planned
Continuous compliance dashboard (per-tenant)planned

Frequently Asked Questions

Your choice. Three options: (1) Nuvepro's cloud with region selection, (2) Your own AWS / Azure / GCP account where Nuvepro runs as a tenant, (3) Fully on-prem in your data center. Data residency selectable per tenant. For BFSI deployments option (2) or (3) is the common pattern.
Configurable per tenant and per lab. Default labs allow copy-paste because most use cases require it. For BFSI and other regulated scopes, lock-down modes are available: clipboard policy, file upload disabled, file download disabled, watermarked screens, session recording. Specify the policy during engagement scoping.
Depends on which LLM you choose. (a) If you use OpenAI / Anthropic / Google through your tenant's account, data travels to the provider over TLS but the provider does not retain it (zero-retention API where supported). (b) If you use an open-source model (Llama, Qwen, Gemma) deployed in your VPC or on-prem, data never leaves your network. Per-tenant choice.
Yes, per-tenant. Every prompt, model output, human decision, and admin action is logged. Retention configurable. Export to your SIEM (Splunk / Datadog / Sumo / S3) available per engagement scope. Log integrity protected via append-only storage.
Yes, under NDA. Request via security@nuvepro.com. We also support customer security questionnaires (CAIQ, SIG Lite, SIG Full, VSA), DPAs, and BAAs.
We do not currently hold GDPR or CCPA certification — those are on our compliance roadmap. We can support per-engagement contractual controls today (DPA, sub-processor disclosure, data subject rights process, data residency in EU regions). For deployments where formal GDPR certification is required on day one, talk to us about the engagement-specific posture.
List provided on request as part of the DPA process. Headline sub-processors: AWS or your chosen cloud, the LLM provider you select (OpenAI / Anthropic / Google / etc.), Auth0 / WorkOS for SSO, monitoring vendors (Datadog / Sentry). Per-tenant sub-processor selection where the LLM provider is independent of the deployment cloud.
Annual third-party penetration test. Summary available on request. Material findings remediated within standard SLAs (P1: 30 days, P2: 90 days).
Standard deletion process: data deleted from production within 30 days of contract termination, from backups within the backup retention window (typically 90 days). For GDPR-style data subject rights, individual data deletion is available per engagement.

Need to send your InfoSec questionnaire?

We respond to CAIQ, SIG, and VSA. SOC 2 Type II and ISO 27001 reports available under NDA. Email security@nuvepro.com or book a walkthrough below.

Schedule an InfoSec Walkthrough