OverviewArticle 9 — Risk ManagementArticle 10 — Data GovernanceArticle 11 — Technical DocsArticle 14 — Human OversightArticle 50 — Transparency
HR & RecruitmentFintech & CreditHealthcare AIEdTech & AssessmentLegal TechnologyInsurance AIPropTech & Real EstateCustomer Service AI
BlogGlossary
Nytivo vs ConsultantsNytivo vs Vanta
Free Assessment
Pricing
Start free trialSign in
Security

Security at Nytivo

Your compliance documentation contains sensitive technical details about your AI system. We treat it accordingly. This page describes how we protect the data you store in Nytivo.

Infrastructure

  • Compute and CDN: Vercel (edge network, EU region traffic routing)
  • Database and authentication: Supabase (PostgreSQL, hosted in EU-West)
  • All infrastructure providers maintain SOC 2 Type II certification
  • No customer data is stored in non-EU regions

Encryption

  • Data in transit: TLS 1.2+ enforced across all connections
  • Data at rest: AES-256 encryption via Supabase managed storage
  • Passwords are never stored — authentication uses magic links and OAuth
  • API keys and secrets are stored as environment variables, never in source code

Access controls

  • Row-level security (RLS) enforced at the database layer — users can only access their own organisation's data
  • No Nytivo employee has standing access to customer compliance data
  • Database access requires VPN and MFA-protected credentials
  • All production access is logged and audited

GDPR & data processing

  • Nytivo acts as a data processor when handling your compliance documentation
  • A Data Processing Agreement (DPA) is available at /dpa
  • You can export or delete all your data at any time from account settings
  • We do not sell or share customer data with third parties

Application security

  • Content Security Policy (CSP) headers on all responses
  • CSRF protection via SameSite cookie attributes
  • Input validation and parameterised queries throughout — no raw SQL concatenation
  • Dependencies are monitored for known vulnerabilities via automated scanning

Responsible disclosure

If you discover a security vulnerability in Nytivo, please report it to security@nytivo.com before disclosing it publicly. We respond to all security reports within 24 hours and aim to remediate critical issues within 72 hours. We do not pursue legal action against good-faith security researchers.

For formal data processing obligations, see our Data Processing Agreement and Privacy Policy. For security-specific questions, email security@nytivo.com.