Trust Center
How BizNerva protects your data
We hold ourselves to the same evidence standards we ask our customers to meet. This page summarizes our current published security posture, certification status, and subprocessor disclosures.
Last updated: July 5, 2026
Certifications
Certification status
What we have today, what is in progress, and what we have explicitly chosen not to claim.
| Framework | Status | Description |
|---|---|---|
| SOC 2 Type I | Preparing / In progress | Security Trust Services Criterion only. Audit in progress; report will be available under NDA upon issuance. |
| SOC 2 Type II | Planned | Planned to begin observation period immediately after Type I report issuance. |
| CCPA / CPRA | Designed to align | Service Provider obligations accepted in the DPA, including no-sale, no-share, and use-restriction commitments. |
| GDPR / UK GDPR | Designed to align | Acts as Processor under the GDPR for Customer data. EU SCCs and a Transfer Impact Assessment apply to EEA/UK transfers; Controller obligations are set out in the DPA. |
| HIPAA | Not intended yet | Not yet supported. BizNerva is not currently a HIPAA Covered Entity or Business Associate, and BAAs are not offered today. PHI uploads are screened and blocked when detected by automated safeguards, but detection is best-effort and not guaranteed. PHI must not be submitted through the platform. |
Where a framework is marked “designed to align,” we operate the underlying control areas described on this page (encryption, access control, audit logging, retention enforcement) but have not obtained a third-party attestation.
Controls
Controls in production today
Core controls we operate or make available across the platform.
Encryption and key management
Managed database and storage encryption at rest, field-level encryption for high-risk PII fields, credentials, and secrets, and TLS 1.2+ in transit. Production secrets are managed outside source code.
Tenant isolation
Row-Level Security on tenant tables is designed to enforce organization-scoped access at the database layer.
Authentication
Multi-factor authentication is available to every user. Administrator MFA enforcement controls can be enabled by role.
Audit trails
Covered administrative audit log writes are append-only and retained for 7 years. Security events and activity timeline records are retained for 3 years.
Access reviews
Access-review workflows support scheduling, tracking, and overdue visibility for platform administrators.
Vulnerability management
We use dependency scanning, static analysis, and secret-scanning workflows across the codebase. Vulnerabilities can be reported through a documented disclosure process.
Subprocessors
Who else may process your data
We disclose the subprocessors that process customer data on the subprocessors page.
Reports & disclosures
Request our SOC 2 report or report a vulnerability
Request the SOC 2 report
Our SOC 2 Type I report will be available under a mutual non-disclosure agreement once issued. To receive the report, complete a security questionnaire (CAIQ, SIG-Lite, or your own), or sign a DPA, please contact us.
Report a security issue
If you believe you have found a security vulnerability in the BizNerva platform, please email security@biznerva.com. We aim to acknowledge reports within two business days and will provide periodic updates while we investigate.
Documents
Related documents and references
Security overview
Full description of our security posture and operating practices.
Data Processing Agreement
GDPR Art. 28 processor terms, EU SCCs, and CCPA service-provider commitments.
Privacy Policy
What we collect, why, and your rights under GDPR and CCPA / CPRA.
Subprocessors
Current list of third parties that may process customer data.