The substrate stores decisions, facts, and files from real work — some of it regulated. Security isn't a feature, it's the foundation everything else is built on.
Built on certified infrastructure, designed for regulated industries.
Neruva runs on Google Cloud Platform, which maintains SOC 1/2/3, ISO 27001, and ISO 27017 certifications. Our infrastructure inherits these controls.
Full data subject rights: export, forget, delete. One-click data erasure from the dashboard. We process data lawfully under legitimate interest and contractual necessity.
As a Canadian company, we comply with the Personal Information Protection and Electronic Documents Act. Your data is handled according to Canadian privacy law.
Multiple layers of security protect your data at every stage.
All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). No exceptions, no fallback to unencrypted connections.
All stored data is encrypted at rest using AES-256, Google Cloud's default encryption standard. Encryption keys are managed by Google Cloud KMS.
Every account is a fully isolated namespace. No code path allows one namespace to read another's records, graph, or files. This is the strictest architectural invariant in the codebase.
Firebase Authentication with Google OAuth 2.0 or email/password. Sessions are managed with secure tokens. Multi-factor authentication (TOTP) available for all accounts.
Role-based access within your account. Admin controls for user management, API key rotation, and billing. All actions are logged in the audit trail.
Files pushed for processing are stored in Google Cloud Storage with signed URLs that expire after 7 days, isolated per account with path-level access controls.
Transparency about what happens to what you store.
You own everything you store. The substrate never claims ownership of your content. Export a whole namespace to a portable file, or delete it permanently — anytime.
Stored data is never used to train AI models. Not ours, not anyone else's. The substrate stores, indexes, and recalls — that's it.
Records persist until deleted or until a TTL you set expires. On account deletion, all data is permanently erased within 30 days.
Atomic forget as a first-class operation — by kind, tag, time, user, or whole entity, in both graph directions. Irreversible by design, with the audit trail intact.
All services run on GCP (us-central1). Google Cloud maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS certifications.
Authentication, database, and file storage powered by Firebase — Google's enterprise application platform with built-in security controls and automatic scaling.
The substrate API (api.neruva.io) runs on Cloud Run with versioned, immutable deploys — every revision is kept, and rollback is one command. Authenticated access only.
Only that namespace. Data is encrypted and isolated per namespace — no code path lets one namespace read another's records, and there is no browsing tool. Access outside a namespace would require explicit engineering action with audit logging.
We will notify affected customers within 72 hours, as required by GDPR and PIPEDA. We will provide details of what was affected and what steps we're taking. We maintain incident response procedures and conduct regular security reviews.
All data is stored in Google Cloud Platform's us-central1 region (Iowa, USA). Data is encrypted at rest with AES-256 and in transit with TLS 1.2+.
No. Never. Data in the substrate is stored, indexed, and recalled — it is not used to train models, ours or anyone else's.
Yes — atomically. Records can be forgotten by kind, tag, time window, or user, and an entity can be hard-deleted from the knowledge graph in both directions. Deletion is permanent and cannot be undone.
We run on SOC 2-certified infrastructure (Google Cloud Platform). We are working toward our own SOC 2 Type II audit as we scale. Contact us at info@neruva.io for our current security documentation.
We take security seriously. If you have questions, need a security review, or want to report a vulnerability, contact us.
info@neruva.io