Back to NovusPraxis

Security

Last updated: 10 June 2026

We take the security of your data seriously. This page summarizes the practices we follow to keep NovusPraxis and the information you trust us with safe. Security is an ongoing effort, and we continue to improve these practices over time.

1. Encryption and data protection

All traffic to and from NovusPraxis is served over encrypted HTTPS/TLS connections. Your data is stored on managed infrastructure provided by reputable cloud providers, with encryption at rest where supported, and access restricted to the systems and people that need it.

2. Authentication and account protection

  • Email-and-password sign-in, with password strength requirements.
  • Passwords are stored using strong one-way hashing — we never store them in plain text and cannot see them.
  • Single sign-on with Google, using OAuth with PKCE.
  • Accounts are temporarily locked after repeated failed sign-in attempts to slow down brute-force attacks.
  • Sessions use secure, HTTP-only cookies with same-site protection, and the application has CSRF defenses throughout.

3. Access control and tenant isolation

Every resource belongs to an organization, and role-based permissions (owner, admin, member, viewer) govern who can see and change what. Data is scoped to your organization, and real-time channels verify your membership before granting access to live updates such as chat and notifications.

4. Payment security

Payments are processed by Stripe, a PCI-DSS compliant payment provider. We do not store your full card number on our servers. Billing webhooks from Stripe are verified with signed signatures before we act on them.

5. File and content storage

Files you upload, such as avatars and attachments, are stored privately and served through signed, time-limited URLs, so they cannot be accessed simply by guessing a link.

6. Monitoring and logging

We use error monitoring to detect and fix problems quickly. It is configured to exclude personal identifiers such as email addresses and IP addresses from error reports. We avoid logging sensitive personal data.

7. Data lifecycle and recovery

Critical records are soft-deleted rather than immediately destroyed, so accidental deletions can be recovered by our support team within a limited window before permanent removal.

8. Your role in security

Security is a shared responsibility. Use a strong, unique password, keep your account credentials private, be careful about who you invite to your organization and what role you give them, and contact us right away if you notice anything suspicious.

9. Reporting a vulnerability

If you believe you've found a security issue, please email support@novuspraxis.app with the details. We appreciate responsible disclosure, ask that you give us a reasonable chance to fix the issue before disclosing it publicly, and will respond as quickly as we can.

10. More information

To learn how we collect, use, and protect your personal data, see our Privacy Policy.