Security

BizNerva is built to handle sensitive business, compliance, and personnel data. We implement defense-in-depth — multiple layers of technical and organizational controls — to protect the confidentiality, integrity, and availability of your data and our systems.

• PII encryption at rest: All personally identifiable information (names, emails, phone numbers, incident involved parties) is encrypted at the field level using industry-standard cryptography with keys managed through a secure vault. Encrypted data is never exposed in raw form.
• Encryption in transit: All data transmitted between your devices and our services is encrypted using TLS 1.2 or higher. External service calls are enforced HTTPS-only in production.
• Access controls: We enforce role-based access control (RBAC) with four distinct roles (super admin, admin, standard, partner), each with precisely scoped permissions enforced at the database level.
• Multi-factor authentication: MFA/2FA is available for all accounts. Progressive account lockout protects against brute-force attacks.
• Data rights: Users can export all their personal data and request account deletion with a 30-day grace period, designed to support GDPR Articles 15, 17, and 20 and CCPA §1798.100–106.

Every organization's data is isolated at the database level using Row-Level Security (RLS) policies on all tenant tables. This enforces that one organization cannot access, modify, or detect another organization's data — regardless of application-layer logic.

• Database-enforced boundaries:RLS policies filter every query by the authenticated user's organization, enforced by the database engine itself — not application code.
• Decryption paths are tenant-scoped:Views that surface decrypted PII enforce the caller's RLS policies at the database layer.
• Storage isolation: Uploaded files are scoped to organization-specific storage paths. Access is granted via short-lived signed URLs (currently 60-minute TTL) so a leaked link cannot be reused indefinitely.

All files uploaded to the Platform pass through a multi-layer security gate before being stored or processed.

• File validation: MIME type verification, file extension checks, magic byte analysis, and file size enforcement per organization limits.
• Virus and malware scanning: Every file is scanned for viruses, trojans, and other malware before storage. Files that fail scanning are quarantined and blocked from download or processing.
• Content disarm and reconstruction: Potentially dangerous content (PDF embedded scripts, Office document macros, active content) is automatically stripped from files before storage, neutralizing attack vectors while preserving document content.
• Rate limiting and audit logging: Upload attempts are rate-limited per user and organization. All upload attempts (successful and rejected) are logged with reason codes for security auditing.
• PII-safe AI processing: Before extracted text is sent to any external AI provider, BizNerva applies a multi-layer defensive pipeline. The pipeline performs structured-pattern redaction of personally identifiable and protected categories at upload time, narrative-content classification before any external call, and content blocking when sensitivity exceeds platform thresholds. Sub-processors that may be invoked at any stage are disclosed on our Subprocessors page. Specific patterns, thresholds, and gate ordering are intentionally not published. Free-text narrative content that cannot be pattern-redacted is safeguarded by classification rather than upfront redaction; pre-screen coverage is described at the category level (workplace PII, protected health information, and student records) without enumerating individual field-level signals.

Our services run on infrastructure operated by established cloud providers that maintain strong physical and network security, redundancy, and compliance certifications. We follow secure development practices, regular dependency updates, and security reviews. Access to production systems is restricted, logged, and reviewed.

We maintain comprehensive audit trails and monitoring to detect suspicious activity and support compliance investigations.

• Audit logs: All administrative actions are recorded in immutable audit log tables with actor identity, timestamp, and action details.
• Security events: Authentication attempts, password resets, account lockouts, and privilege changes are tracked in dedicated security event tables.
• Database triggers: Sensitive tables have automatic audit triggers that fire on every insert, update, or delete.
• Incident response: In the event of a security incident that affects your data, we will notify affected customers without undue delay after becoming aware and notify regulators as required by applicable law. See our Data Processing Agreement for detailed notification procedures and jurisdiction-specific timelines.

BizNerva aligns with multiple regulatory frameworks to protect your data and support your organization's compliance obligations.

SOC 2 Type I (in progress) — BizNerva is preparing for SOC 2 Type I attestation against the Security Trust Services Criterion. The report will be available under NDA upon issuance, and SOC 2 Type II is planned to begin observation immediately after Type I issuance. Key controls include:

• CC6 — Access controls: MFA/2FA, progressive lockout, session management, signed URL expiry, rate limiting.
• CC6.1 — Tenant isolation: RLS on all tenant tables with security invoker views and storage isolation.
• CC6.3 — RBAC: Four-role access matrix enforced at the database level with comprehensive RLS policy coverage across all data access paths.
• CC7 — Monitoring: Audit logs, security events, activity timeline, and database triggers on sensitive tables.
• CC8 — Change management: Versioned SQL migrations, extensive automated security test suite, CI/CD pipeline.

GDPR — BizNerva is designed to support your compliance obligations under GDPR. Your compliance depends on how you configure and use the platform. You are responsible for determining your lawful basis for processing, obtaining necessary consents, and honoring data subject rights.

• Right of Access and Data Portability (Articles 15, 20) — full data export.
• Right to Erasure (Article 17) — self-service deletion with automated processing.
• Consent management (Article 6) — granular consent tracking with withdrawal support.
• Data protection by design (Article 25) — field-level encryption and tenant isolation.

CCPA/CPRA — BizNerva is designed to support your compliance obligations under CCPA/CPRA and other applicable data protection laws. Your compliance depends on how you configure and use the platform.

• Right to Know, Delete, Correct, and Opt-Out (§1798.100–120).
• Global Privacy Control (GPC) signals honored — Do Not Sell or Share page available.
• Notice at Collection presented at signup with data categories and purposes.
• BizNerva does not sell or share personal information as defined under the CCPA/CPRA.

HIPAA posture

HIPAA workloads are not yet supported. BizNerva is not currently a HIPAA Covered Entity or Business Associate, and BAAs are not offered today. Protected Health Information (PHI) uploads are blocked at the client and server boundary; in-app guidance on incident forms further deters inadvertent PHI entry. Healthcare customers exploring future fit can reach us at contact@biznerva.com.

GLBA posture

BizNerva is not a financial institution. When financial institution customers use BizNerva, all data collected pertains to their employees and workplace events — not their banking customers. Our security controls are designed to support the GLBA Safeguards Rule technical requirements. Financial institution customers requiring service provider agreements should contact us at contact@biznerva.com.

COPPA

COPPA does not apply to BizNerva. The platform is a B2B workplace compliance tool not directed at children, and all users must confirm they are at least 18 years old before creating an account.

K-12 schools posture

BizNerva is designed for workplace compliance only. It is intended to support a school's obligations as an employer (e.g., OSHA, WVPP, labor, pay transparency, training) — not to process student records. Accordingly:

• Not an operator under SOPIPA.BizNerva is not an "operator" as defined in the California Student Online Personal Information Protection Act (Cal. Bus. & Prof. Code §22584) because the platform is directed at workplace compliance, not K-12 school administration, instruction, or assessment.
• Not a third-party vendor under AB 1584.BizNerva does not process "pupil records" within the meaning of Cal. Ed. Code §49073.1, and therefore the AB 1584 third-party vendor contract requirements do not apply.
• Not FERPA-covered. BizNerva does not process education records covered by the Family Educational Rights and Privacy Act (20 U.S.C. §1232g) and has not been designated as a school official with legitimate educational interest.
• Upload restrictions. Student-identifying information, pupil records, IEP/504 plans, parent/guardian form fields, and student health records must not be uploaded. See our Acceptable Use Policy — Data You May Not Upload. The platform runs automated pre-screens on uploads to help enforce this.

School customers who need a platform that supports pupil-record processing should engage a vendor that has signed a Student Data Privacy Agreement (SDPA) and is designated as a school official under FERPA.

For full details, see our Privacy Policy.

All BizNerva users must be at least 18 years of age. This is enforced at every account creation entry point — signup, invited signup, join requests, and invitation acceptance — through schema validation, server-side checks, and database persistence. Our Terms of Service and Privacy Policy reflect this requirement.

If you believe you have found a security vulnerability in our services, please report it to us responsibly at contact@biznerva.com. We ask that you do not publicly disclose the issue before we have had a chance to address it. We will acknowledge your report and work with you to understand and resolve it.