Enterprise-grade security

The memory holds real data. It's treated that way.

The substrate stores decisions, facts, and files from real work — some of it regulated. Security isn't a feature, it's the foundation everything else is built on.

AES-256encryption at rest
TLS 1.2+encryption in transit
Zero trainingon stored data
1-click deleteGDPR forget

Compliance

Built on certified infrastructure, designed for regulated industries.

SOC 2-Eligible Infrastructure

Neruva runs on Google Cloud Platform, which maintains SOC 1/2/3, ISO 27001, and ISO 27017 certifications. Our infrastructure inherits these controls.

GDPR Compliant

Full data subject rights: export, forget, delete. One-click data erasure from the dashboard. We process data lawfully under legitimate interest and contractual necessity.

PIPEDA Compliant

As a Canadian company, we comply with the Personal Information Protection and Electronic Documents Act. Your data is handled according to Canadian privacy law.

Technical protections

Multiple layers of security protect your data at every stage.

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). No exceptions, no fallback to unencrypted connections.

Encryption at Rest

All stored data is encrypted at rest using AES-256, Google Cloud's default encryption standard. Encryption keys are managed by Google Cloud KMS.

Namespace Isolation

Every account is a fully isolated namespace. No code path allows one namespace to read another's records, graph, or files. This is the strictest architectural invariant in the codebase.

Authentication

Firebase Authentication with Google OAuth 2.0 or email/password. Sessions are managed with secure tokens. Multi-factor authentication (TOTP) available for all accounts.

Access Controls

Role-based access within your account. Admin controls for user management, API key rotation, and billing. All actions are logged in the audit trail.

Secure File Handling

Files pushed for processing are stored in Google Cloud Storage with signed URLs that expire after 7 days, isolated per account with path-level access controls.

How we handle your data

Transparency about what happens to what you store.

Your Data, Your Control

You own everything you store. The substrate never claims ownership of your content. Export a whole namespace to a portable file, or delete it permanently — anytime.

No AI Training

Stored data is never used to train AI models. Not ours, not anyone else's. The substrate stores, indexes, and recalls — that's it.

Data Retention

Records persist until deleted or until a TTL you set expires. On account deletion, all data is permanently erased within 30 days.

GDPR Right to be Forgotten

Atomic forget as a first-class operation — by kind, tag, time, user, or whole entity, in both graph directions. Irreversible by design, with the audit trail intact.

Infrastructure

Google Cloud Platform

All services run on GCP (us-central1). Google Cloud maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS certifications.

Firebase Services

Authentication, database, and file storage powered by Firebase — Google's enterprise application platform with built-in security controls and automatic scaling.

Cloud Run API

The substrate API (api.neruva.io) runs on Cloud Run with versioned, immutable deploys — every revision is kept, and rollback is one command. Authenticated access only.

Security FAQ

Who can see the data in a namespace?

Only that namespace. Data is encrypted and isolated per namespace — no code path lets one namespace read another's records, and there is no browsing tool. Access outside a namespace would require explicit engineering action with audit logging.

What happens if there's a data breach?

We will notify affected customers within 72 hours, as required by GDPR and PIPEDA. We will provide details of what was affected and what steps we're taking. We maintain incident response procedures and conduct regular security reviews.

Where is my data stored?

All data is stored in Google Cloud Platform's us-central1 region (Iowa, USA). Data is encrypted at rest with AES-256 and in transit with TLS 1.2+.

Is stored data used to train AI?

No. Never. Data in the substrate is stored, indexed, and recalled — it is not used to train models, ours or anyone else's.

Can all data be deleted?

Yes — atomically. Records can be forgotten by kind, tag, time window, or user, and an entity can be hard-deleted from the knowledge graph in both directions. Deletion is permanent and cannot be undone.

Do you have SOC 2 certification?

We run on SOC 2-certified infrastructure (Google Cloud Platform). We are working toward our own SOC 2 Type II audit as we scale. Contact us at info@neruva.io for our current security documentation.

Questions about security?

We take security seriously. If you have questions, need a security review, or want to report a vulnerability, contact us.

info@neruva.io