Security Overview

Novex applies defense-in-depth across the application, the database engine, the network edge, and operational processes:

• Encryption in transit: TLS 1.2 minimum (TLS 1.3 preferred), HSTS with two-year max-age and preload, hardened cipher suite (OWASP A+ rating).
• Encryption at rest: AES-256 for sensitive fields, encrypted backups stored separately from production, provider-managed disk encryption for the production database.
• Tenant isolation: three independent layers (application + ORM + PostgreSQL row-level security) enforced on every tenant-scoped table.
• Primary hosting region: European Union.
• Backup posture: daily encrypted full backups + write-ahead-log point-in-time recovery (5-minute RPO) + offsite replication + documented restore drills.
• Authentication: Auth.js v5 with strict session cookies for customers; multi-factor authentication available for staff production access (enforced once team grows beyond founder).
• Application security: Semgrep static analysis on every pull request, OWASP ZAP dynamic scanning on a defined cadence, dependency CVE alerts.
• Incident response: documented runbook with 72-hour breach notification commitment to all customers.
• Compliance posture: aligned with EU GDPR, UK GDPR, Saudi PDPL, and California CCPA / CPRA.
• Audit posture: continuous internal audit; third-party audit reports available to enterprise customers under NDA.

Novex enforces tenant isolation at three independent layers. A bug in any one layer is caught by the next:

• Application layer — every database query carries an explicit tenantId filter at the callsite.
• ORM layer — the Prisma client automatically injects the current tenant context into every query via $extends.query callbacks, so omitting the filter at the callsite still produces a tenant-scoped query.
• Database engine — PostgreSQL row-level security (RLS) policies on every tenant-scoped table reject any read or write that doesn't match the current session's tenant identifier, set via a per-transaction GUC.

The runtime database role (novex_app) is configured as NOBYPASSRLS, meaning even the application server cannot accidentally read another tenant's data. Cross-tenant queries used by platform-admin and system-level endpoints run under separate roles with explicit audit logging. Verified posture as of May 2026: 128 RLS policies across 119 tenant-scoped tables; zero cross-tenant read or write leaks identified in internal audit.

In transit. TLS 1.2 minimum, TLS 1.3 preferred. HSTS with two-year max-age and includeSubDomains; preload. HTTP/2 with Brotli compression. Cipher suite hardened to OWASP A+ rating.

At rest. AES-256 encryption of sensitive fields in the database. Encrypted backups stored separately from production. Production database disks encrypted by the hosting provider.

Customer authentication. Auth.js v5 with the session-cookie strategy. Session cookies are Secure, HttpOnly, SameSite=Lax, Path=/. Passwords are hashed with Argon2id (industry standard for new applications in 2026). Two-population separation (tenant users, platform users, vendor users) is enforced with distinct cookies, secrets, and rotation policies. Stale-session and tenant-deactivation handling is implemented via JWT max-age plus GUC-aware revocation.

Staff and operator authentication. Multi-factor authentication is required for production access. Least-privilege defaults apply, with quarterly access reviews and immediate revocation on role change or departure.

Role-based access control (RBAC) in the application. Eight system roles (Admin, Event Manager, Finance, Registration Staff, Viewer, External Collaborator, Platform Admin, Vendor User) gate per-route permissions via requirePageCan and requireApiCan. A CI-enforced guard prevents shipping a route without an explicit RBAC check.

Defense-in-depth at the edge and the network:

• Edge. Cloudflare DNS plus WAF (selective). Strict security headers on every response: Strict-Transport-Security, Content-Security-Policy (strict, nonce-based), Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Resource-Policy, X-Content-Type-Options, Referrer-Policy, and a restrictive Permissions-Policy.
• Network. The production database is not exposed to the public internet; access is restricted to application servers via the private network. Rate-limiting is applied on authentication, signup, and other sensitive endpoints.
• Monitoring. 24/7 external uptime monitoring (UptimeRobot), a public status page (https://stats.uptimerobot.com/Kc6JBIW3PL), centralized application logs with PII scrubbing, anomaly detection on authentication and privileged operations, and error tracking with PII scrubbing (Sentry).

• Daily full database backups retained for 30 days.
• Write-Ahead Log (WAL) archiving for point-in-time recovery to any moment in the last 7 days (5-minute recovery point objective).
• Offsite replication to a separate geographic location, automated daily.
• Verified restore drills, documented and exercised regularly.
• Recovery Time Objective (RTO): under 4 hours. Recovery Point Objective (RPO): under 5 minutes.

• Static analysis (SAST): Semgrep runs on every pull request.
• Dynamic scanning (DAST): OWASP ZAP baseline scan on a defined cadence.
• Dependency scanning: automated alerts for known CVEs in third-party packages.
• Code review: every change requires peer review before merge.
• Branch protection: required CI status checks on the main branch, enforced for all contributors including administrators.
• Audit logging: every administrative action is logged with actor, timestamp, and payload digest. Audit logs are retained on a three-tier schedule: 18 months for tenant-scoped operational actions, 36 months for platform-scoped actions (no tenant), and 84 months (7 years) for security-critical events (authentication, role/permission changes, MFA, and tenant-lifecycle). Older rows are purged by a nightly job. Retention satisfies PDPL Art 4 (data minimization) and GDPR Art 5(1)(e) (storage limitation) while preserving the KSA financial-record-keeping window for security-critical events and the forensic window needed for incident investigation and regulator audits.

• Background checks on staff with production access, where permitted by local law.
• Contractual confidentiality obligations for all personnel.
• Annual security awareness training.
• Documented incident-response plan covering triage, containment, communication, and post-incident review.
• 72-hour breach notification commitment to all customers.

Novex is operated by Novex Systems LLC, a Wyoming, USA limited liability company, and is aligned with the following frameworks:

• EU GDPR — aligned. DPA available at nov3x.com/legal/dpa; Standard Contractual Clauses (2021) used for international transfers.
• UK GDPR — aligned. UK International Data Transfer Addendum used where applicable.
• Saudi PDPL — aligned. Cross-border transfer language per Article 29 in the DPA.
• California CCPA / CPRA — aligned. Privacy Policy includes Notice of Collection and consumer rights.
• SOC 2 Type II — on the roadmap, planned post initial paid GA.
• ISO 27001 — on the roadmap, planned for enterprise expansion.

Novex's Data Protection Officer is contactable at privacy@nov3x.com.

The complete sub-processor list, with purposes and processing locations, is maintained in our Data Processing Agreement at nov3x.com/legal/dpa. Notable subprocessors as of the effective date:

• Contabo GmbH (EU) — hosting infrastructure.
• Resend — transactional email.
• Sentry — error monitoring (PII-scrubbed).
• Stripe — subscription billing (activated for paid plans).
• Anthropic / OpenAI — only when a customer enables Bring-Your-Own-Key AI.

Customer-configured integrations (such as WhatsApp Business, payment processors for end-user billing, or calendar systems) are sub-processors of the customer, not of Novex. Customers are responsible for disclosing those to their own data subjects.

Novex conducts internal security audits continuously, using a combination of automated tooling, third-party reports, and structured manual review. The most recent comprehensive internal audit (Master Public-Launch Hardening Audit) was completed 2026-05-23 covering 16 phases including tenant isolation, authentication, errors and AI-fingerprinting, upload security, secrets and environment hardening, webhooks and integrations, AI safety, logging and privacy, UI/UX, CI and release, production verification, historical regression, billing and entitlements, legal and compliance, and operations and observability.

External audit reports (penetration testing, third-party security assessments) are available to enterprise customers under NDA. Contact security@nov3x.com to request.

We welcome responsible disclosure of security issues. Please report to security@nov3x.com with a description, reproduction steps, and your contact details. We commit to:

• Acknowledge receipt within 1 business day.
• Provide a preliminary assessment within 5 business days.
• Coordinate fix and disclosure timeline with the reporter.
• Credit reporters publicly (with consent) once the fix is deployed.

Security is a shared model. Customers are responsible for:

• Safeguarding their account credentials and enabling multi-factor authentication where available.
• Securing their own devices and networks used to access Novex.
• Lawfully processing personal data of their own end users (attendees, vendors, sponsors).
• Disclosing any third-party integrations they enable through the platform to their own end users.
• Promptly notifying Novex of any suspected compromise of their account at security@nov3x.com.

Security: security@nov3x.com. Privacy: privacy@nov3x.com. Legal: legal@nov3x.com. Customer Support (call/SMS): +1 (307) 466-7333. General inquiries (SMS only): +1 (307) 466-7333. Mailing address: Novex Systems LLC, 30 N Gould St, STE R, Sheridan, WY 82801, USA.

Document version 1.0. Last reviewed 2026-05-23. Next review: 2026-08-23 (quarterly).