Trust Center
How BizNerva protects your data
We hold ourselves to the same evidence standards we ask our customers to meet. This page is the source of truth for our security posture, certification status, and subprocessors.
Last updated: May 21, 2026
Certifications
Certification status
What we have today, what is in progress, and what we have explicitly chosen not to claim.
| Framework | Status | Description |
|---|---|---|
| SOC 2 Type I | Preparing / In progress | Security Trust Services Criterion only. Audit in progress; report will be available under NDA upon issuance. |
| SOC 2 Type II | Planned | Planned to begin observation period immediately after Type I report issuance. |
| CCPA / CPRA | Designed to align | Service Provider obligations accepted in the DPA, including no-sale, no-share, and use-restriction commitments. |
| GDPR / UK GDPR | Designed to align | Acts as Processor under the GDPR for Customer data. EU SCCs and a Transfer Impact Assessment apply to EEA/UK transfers; Controller obligations are set out in the DPA. |
| HIPAA | Not intended yet | Not yet supported. BizNerva is not currently a HIPAA Covered Entity or Business Associate, and BAAs are not offered today; PHI uploads are blocked at the client and server boundary. Healthcare customers exploring future fit can reach us at contact@biznerva.com. |
Where a framework is marked “designed to align,” we operate the underlying controls (encryption, access control, audit logging, retention enforcement) but have not obtained a third-party attestation.
Controls
Controls in production today
The six controls every BizNerva customer inherits by default.
Encryption everywhere
Field-level encryption of personal data at rest via managed key vault. TLS 1.2+ in transit. Secrets never committed to source.
Tenant isolation
Row-Level Security enforced on all tenant tables. Each organization can read and write only its own rows.
Authentication
Multi-factor authentication is available to every user and enforced for platform and organization administrators. Device trust is signed; idle session timeout applies platform-wide.
Immutable audit trail
Audit log writes are append-only (immutable) and retained for 7 years.
Access reviews
Quarterly access reviews are scheduled, tracked, and enforced. Overdue reviews are surfaced to platform administrators.
Vulnerability management
Continuous dependency scanning, static code analysis, and secret scanning across our codebase. Vulnerabilities can be reported through a documented disclosure process.
Subprocessors
Who else may process your data
We disclose every subprocessor that may process customer data. The list is kept up to date on the subprocessors page.
Reports & disclosures
Request our SOC 2 report or report a vulnerability
Request the SOC 2 report
Our SOC 2 Type I report will be available under a mutual non-disclosure agreement once issued. To receive the report, complete a security questionnaire (CAIQ, SIG-Lite, or your own), or sign a DPA, please contact us.
Report a security issue
If you believe you have found a security vulnerability in the BizNerva platform, please email security@biznerva.com. We aim to acknowledge reports within two business days and will provide periodic updates while we investigate.
Documents
Related documents and references
Security overview
Full description of our security posture and operating practices.
Data Processing Agreement
GDPR Art. 28 processor terms, EU SCCs, and CCPA service-provider commitments.
Privacy Policy
What we collect, why, and your rights under GDPR and CCPA / CPRA.
Subprocessors
Current list of third parties that may process customer data.