Core principle: Your employee data never touches our servers. All workforce data is processed in your browser and discarded when you close the tab. A breach of Noveli infrastructure cannot expose your employee data.
Noveli is built on a zero-server-side-data model for workforce information. CSV files and org chart data are loaded and processed entirely within your browser using client-side JavaScript. Nothing is uploaded to our backend at any point. Our servers handle only authentication, workspace configuration, and subscription status.
All communication between your browser and Noveli's servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and reject insecure connections.
User passwords are hashed using industry-standard algorithms and are never stored in plain text. Authentication sessions are managed using short-lived JWT tokens. Session data is scoped per user and cannot be accessed by other users.
Our database uses row-level security (RLS) to enforce strict tenant isolation. Each user can only access data belonging to their own workspace. Service-level operations use a separate privileged role not exposed to end users.
Noveli runs on the following SOC 2 certified infrastructure providers:
Noveli itself is an early-stage company and does not currently hold independent ISO 27001 or SOC 2 certifications. We are committed to pursuing formal certifications as we scale.
Internal access to production systems is restricted to authorized personnel only. Administrative functions require separate authentication beyond standard user credentials. All administrative actions are logged.
In the event of a personal data breach that poses a risk to user rights, Noveli will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, notify affected users without undue delay when the breach is likely to result in high risk per GDPR Article 34, and maintain an internal breach register as required by GDPR Article 33(5).
Because employee workforce data is never stored on our servers, a breach of Noveli infrastructure cannot expose your employee data.
If you discover a security vulnerability in Noveli, we ask that you report it to us responsibly before making it public. Contact security@noveli.io with a description of the issue and steps to reproduce it. We will acknowledge your report within 48 hours and work to resolve confirmed vulnerabilities promptly. We will not take legal action against researchers who act in good faith.
Responsible disclosure: security@noveli.io
General security questions: hello@noveli.io
Acknowledgment time: Within 48 hours