Skip to content

Trust Center

How BizNerva protects your data

We hold ourselves to the same evidence standards we ask our customers to meet. This page summarizes our current published security posture, certification status, and subprocessor disclosures.

Last updated: July 5, 2026

Certifications

Certification status

What we have today, what is in progress, and what we have explicitly chosen not to claim.

FrameworkStatusDescription
SOC 2 Type IPreparing / In progressSecurity Trust Services Criterion only. Audit in progress; report will be available under NDA upon issuance.
SOC 2 Type IIPlannedPlanned to begin observation period immediately after Type I report issuance.
CCPA / CPRADesigned to alignService Provider obligations accepted in the DPA, including no-sale, no-share, and use-restriction commitments.
GDPR / UK GDPRDesigned to alignActs as Processor under the GDPR for Customer data. EU SCCs and a Transfer Impact Assessment apply to EEA/UK transfers; Controller obligations are set out in the DPA.
HIPAANot intended yetNot yet supported. BizNerva is not currently a HIPAA Covered Entity or Business Associate, and BAAs are not offered today. PHI uploads are screened and blocked when detected by automated safeguards, but detection is best-effort and not guaranteed. PHI must not be submitted through the platform.

Where a framework is marked “designed to align,” we operate the underlying control areas described on this page (encryption, access control, audit logging, retention enforcement) but have not obtained a third-party attestation.

Controls

Controls in production today

Core controls we operate or make available across the platform.

Encryption and key management

Managed database and storage encryption at rest, field-level encryption for high-risk PII fields, credentials, and secrets, and TLS 1.2+ in transit. Production secrets are managed outside source code.

Tenant isolation

Row-Level Security on tenant tables is designed to enforce organization-scoped access at the database layer.

Authentication

Multi-factor authentication is available to every user. Administrator MFA enforcement controls can be enabled by role.

Audit trails

Covered administrative audit log writes are append-only and retained for 7 years. Security events and activity timeline records are retained for 3 years.

Access reviews

Access-review workflows support scheduling, tracking, and overdue visibility for platform administrators.

Vulnerability management

We use dependency scanning, static analysis, and secret-scanning workflows across the codebase. Vulnerabilities can be reported through a documented disclosure process.

Subprocessors

Who else may process your data

We disclose the subprocessors that process customer data on the subprocessors page.

Reports & disclosures

Request our SOC 2 report or report a vulnerability

Request the SOC 2 report

Our SOC 2 Type I report will be available under a mutual non-disclosure agreement once issued. To receive the report, complete a security questionnaire (CAIQ, SIG-Lite, or your own), or sign a DPA, please contact us.

security@biznerva.com

Report a security issue

If you believe you have found a security vulnerability in the BizNerva platform, please email security@biznerva.com. We aim to acknowledge reports within two business days and will provide periodic updates while we investigate.