Security

BizNerva is built to handle sensitive business, compliance, and personnel data. We implement defense-in-depth — multiple layers of technical and organizational controls — to protect the confidentiality, integrity, and availability of your data and our systems.

• PII encryption at rest: All personally identifiable information (names, emails, phone numbers, incident involved parties) is encrypted at the field level using industry-standard cryptography with keys managed through a secure vault. Encrypted data is never exposed in raw form.
• Encryption in transit: All data transmitted between your devices and our services is encrypted using TLS 1.2 or higher. External service calls are enforced HTTPS-only in production.
• Access controls: We enforce role-based access control (RBAC) with four distinct roles (super admin, admin, standard, partner), each with precisely scoped permissions enforced at the database level.
• Multi-factor authentication: MFA/2FA is available for all accounts. Progressive account lockout protects against brute-force attacks.
• Data rights: Users can export all their personal data and request account deletion with a 30-day grace period, designed to support GDPR Articles 15, 17, and 20 and CCPA §1798.100–106.

Every organization's data is isolated at the database level using Row-Level Security (RLS) policies on more than 20 tables. This enforces that one organization cannot access, modify, or detect another organization's data — regardless of application-layer logic.

• Database-enforced boundaries: RLS policies filter every query by the authenticated user's organization, enforced by the database engine itself — not application code.
• Decrypted views with tenant scoping: Views that decrypt PII run with security invoker mode, ensuring the caller's RLS policies are always applied.
• Storage isolation: Uploaded files are scoped to organization-specific storage paths with signed URL expiry.

Our services run on infrastructure operated by established cloud providers that maintain strong physical and network security, redundancy, and compliance certifications. We follow secure development practices, regular dependency updates, and security reviews. Access to production systems is restricted, logged, and reviewed.

We maintain comprehensive audit trails and monitoring to detect suspicious activity and support compliance investigations.

• Audit logs: All administrative actions are recorded in immutable audit log tables with actor identity, timestamp, and action details.
• Security events: Authentication attempts, password resets, account lockouts, and privilege changes are tracked in dedicated security event tables.
• Database triggers: Sensitive tables (profiles, incidents, partners, consents, and more) have automatic audit triggers that fire on every insert, update, or delete.
• Incident response: In the event of a security incident that affects your data, we will notify you within seventy-two (72) hours of confirmed discovery and notify regulators as required by applicable law. See our Data Processing Agreement for detailed breach notification procedures.

BizNerva aligns with multiple regulatory frameworks to protect your data and support your organization's compliance obligations.

SOC 2 alignment — BizNerva's security controls are designed to align with SOC 2 Trust Services Criteria (CC6, CC7, CC8). BizNerva has not yet completed a SOC 2 Type II audit but maintains internal controls consistent with these criteria.

• CC6 — Access controls: MFA/2FA, progressive lockout, session management, signed URL expiry, rate limiting.
• CC6.1 — Tenant isolation: RLS on 20+ tables with security invoker views and storage isolation.
• CC6.3 — RBAC: Four-role access matrix enforced at the database level with 27 RLS policies.
• CC7 — Monitoring: Audit logs, security events, activity timeline, and database triggers on sensitive tables.
• CC8 — Change management: Versioned SQL migrations, 1,250+ automated security tests, CI/CD pipeline.

GDPR — BizNerva is designed to support your compliance obligations under GDPR. Your compliance depends on how you configure and use the platform. You are responsible for determining your lawful basis for processing, obtaining necessary consents, and honoring data subject rights.

• Right of Access and Data Portability (Articles 15, 20) — full data export.
• Right to Erasure (Article 17) — self-service deletion with automated processing.
• Consent management (Article 6) — granular consent tracking with withdrawal support.
• Data protection by design (Article 25) — field-level encryption and tenant isolation.

CCPA/CPRA — BizNerva is designed to support your compliance obligations under CCPA/CPRA and other applicable data protection laws. Your compliance depends on how you configure and use the platform.

• Right to Know, Delete, Correct, and Opt-Out (§1798.100–120).
• Global Privacy Control (GPC) signals honored — Do Not Sell or Share page available.
• Notice at Collection presented at signup with data categories and purposes.
• BizNerva does not sell or share personal information as defined under the CCPA/CPRA.

HIPAA posture

For healthcare organizations, BizNerva's technical controls are designed to support compliance with the HIPAA Security Rule. BizNerva is not a HIPAA Covered Entity. Healthcare customers requiring a Business Associate Agreement (BAA) should contact us at contact@biznerva.com to discuss their requirements. Healthcare customers see in-app guidance on incident forms to prevent inadvertent PHI entry.

GLBA posture

BizNerva is not a financial institution. When financial institution customers use BizNerva, all data collected pertains to their employees and workplace events — not their banking customers. Our security controls are designed to support the GLBA Safeguards Rule technical requirements. Financial institution customers requiring service provider agreements should contact us at contact@biznerva.com.

COPPA

COPPA does not apply to BizNerva. The platform is a B2B workplace compliance tool not directed at children, and all users must confirm they are at least 18 years old before creating an account.

For full details, see our Privacy Policy.

All BizNerva users must be at least 18 years of age. This is enforced at every account creation entry point — signup, invited signup, join requests, and invitation acceptance — through schema validation, server-side checks, and database persistence. Our Terms of Service and Privacy Policy reflect this requirement.

If you believe you have found a security vulnerability in our services, please report it to us responsibly at contact@biznerva.com. We ask that you do not publicly disclose the issue before we have had a chance to address it. We will acknowledge your report and work with you to understand and resolve it.