Noventra AI
Trust

Security at Noventra.

How we handle your data, who has access to what, and what we do (and don't do) with the information that flows through your workflows. For the full legal terms, see our Privacy Policy and Third-Party Tools Policy.

Last reviewed · May 8, 2026

Encryption

How your data is protected in transit and at rest.

Data in transit moves over TLS 1.2 or higher. Data at rest sits on encrypted infrastructure (AES-256) operated by our hosting provider. Credentials are stored only as OAuth tokens, which can be revoked from your end (via your Google, Microsoft, or tool account) or from ours. Our TLS configuration and stored-cryptography implementations were verified Pass as part of this assessment.

We don't keep copies of the email content, files, or records that flow through your workflows. Those stay in your tools (your inbox, your Drive, your CRM). What we hold is the minimum needed to run the workflow, plus the audit trail of what happened.

Access

Minimum scopes. No standing access. No human reads your content.

We connect to your tools using OAuth, with the minimum permission scopes needed for each workflow. Workflows only act while they're active, and access ends when you disconnect.

  • Scopes are workflow-specific.

    An inbox workflow gets inbox scopes. A Drive workflow gets the Drive scopes it needs. We don't ask for blanket access.

  • No standing human access.

    Noventra personnel do not read customer email, files, or records during normal operation.

  • Debugging is opt-in.

    If something goes wrong and you ask us to investigate, access is limited to the specific workflow you've flagged. We don't access customer content outside the engagement scope. When the issue is resolved, the access ends.

Audit trail

Every workflow action is logged, and the log is yours on request.

Every action a workflow takes is recorded in a curated audit trail: timestamp, the workflow that ran, the inputs it acted on, and the outcome. This is separate from any underlying execution logs and is the version we can hand to you.

Available for review or export on request. We agree the format with you when you ask. Audit entries are kept for the duration of the engagement, plus 30 days after offboarding, then deleted.

Retention

What's kept, for how long, and how to delete it.

What we hold is operational, not your business content.

Workflow content (email bodies, files, records)
Not stored. Processed ephemerally and discarded. The same applies across every connected tool, including Outlook, Dropbox, HubSpot, Notion, Salesforce, and the rest.
Audit trail
Kept for the duration of your engagement, plus 30 days after offboarding, then deleted.
Account and contract records
Kept for up to 6 years to meet tax and accounting requirements. This matches our Privacy Policy.
Deletion on request
You can request deletion of any data we hold by emailing support@noventra-ai.com. We confirm completion in writing.
Compliance

Aligned with GDPR and CCPA.

Noventra AI Automation Platform has been independently audited against the App Defense Alliance's Cloud Application Security Assessment (CASA Tier 2, Lab Tested - Lab Verified) by DEKRA, an authorized third-party assessor. The assessment covered fourteen security categories spanning authentication, session management, access control, cryptography, data protection, communications, logging, configuration, and API/web service security: all verified as Pass. The Letter of Validation was issued on February 26, 2026, with the next reassessment due before February 27, 2027.

Our practices are aligned with the GDPR and CCPA. Data subject rights (access, correction, deletion, portability) are honored on request via legal@noventra-ai.com. The full list of sub-processors we use, by category, is in our Third-Party Tools Policy.

Boundaries

What we don't do with your data.

  • We don't store the content of your emails, files, or records. They stay in your tools.
  • We don't sell, rent, or share your data with third parties for marketing or advertising.
  • Our AI sub-processors operate under no-training agreements (the standard API tier, not consumer products).
  • We don't access your tools or content outside of running the workflows you've configured, or debugging at your explicit request.
  • We don't store credentials in raw form. Access is via OAuth tokens, which can be revoked.
  • We don't offer Noventra as a self-serve product. You don't log in. We run the workflows for you.
Contact

Security questions, breach reports, vendor security reviews.

For anything related to security, including questions, suspected incidents, or vendor security review questionnaires, email support@noventra-ai.com. We respond within one business day.

For privacy rights requests (access, deletion, portability under GDPR or CCPA), use legal@noventra-ai.com.