Trust Center

Nerve handles your business’s most sensitive data. Here’s exactly how we protect it, who processes it, and what we’re working toward.

Security controls

Encryption everywhere

TLS 1.2+ in transit; AES-256 at rest via Supabase. Sensitive fields are additionally encrypted at the application layer.

Tenant isolation

Postgres Row-Level Security scopes every row to its workspace. Strict mode requires a verified session on every request.

Hardened sessions

HttpOnly, signed session cookies — never readable by JavaScript, immune to XSS token theft.

Rate limiting

Per-tenant and per-IP limits stop abuse and runaway loops before they reach your data.

Audit logging

Every AI action is recorded in a hash-chained, tamper-evident ledger you can review and undo.

AI safety

Prompt-injection sanitization on input, validation on output, and a circuit breaker with provider failover.

AI governance (EU AI Act ready)

Nerve is a high-risk AI system under the EU AI Act and is built for its Aug 2026 obligations. We maintain an auto-generated, always-current register of every AI capability — purpose, data sources, performance, limitations, and the human-oversight controls on each.

Capability register — 82 capabilities

Article 13 transparency. 9 high-risk capabilities require human approval; 73 are read-only analysis.

Model cards

Per-model documentation (provider, intended use, training-data provenance, performance, limitations) following Google's Model Cards framework.

Human oversight

A global + per-tenant kill switch, mandatory approval on high-risk actions, universal undo, and a hash-chained audit log.

Explainability

Every output carries a confidence score, reasoning, and citations. Data lineage traces facts to their source.

Your data is never used to train models

We do not use your data to train AI models — ours or anyone else’s. Your data is processed only to deliver Nerve’s features to you, and is sent to AI providers solely to generate your results.

Compliance status

SOC 2 — 97% evidence-ready

14 of 15 Common Criteria controls mapped to live controls. Type II audit is the next step.

ISO/IEC 42001 — 12 controls mapped

AI Management System control objectives mapped to Nerve's existing infrastructure.

NIST AI RMF — 10 controls

GOVERN / MAP / MEASURE / MANAGE functions mapped to in-product controls.

Auditor-ready exports

The full register, model cards, and control matrices export as documents for your security review.

Access controls

RBAC + ABAC

Fixed roles (owner/admin/editor/viewer) plus attribute-based policies (role, resource, risk tier, time, IP). Deny-first composition.

SCIM 2.0 provisioning

Automated user/group provisioning + deprovisioning with bulk operations, filters, and group→role mapping.

SSO + 2FA

SAML/OIDC SSO, TOTP 2FA with recovery codes, breach-password checks, account lockout, and device session control.

Tenant isolation

Postgres Row-Level Security scopes every row to its workspace on every request.

Incident response

Durable incident tracking, a documented runbook, and an emergency kill switch (global + per-tenant) that instantly pauses all AI action. Our disaster-recovery plan targets a 24-hour RPO and a 4-hour RTO. AI provider outages trigger a circuit breaker with automatic failover.

Data residency

Your data is hosted in a single region — AWS us-east-1 — on Supabase. We do not claim residency we can’t deliver. Regional deployment (EU, India, APAC) is available as an Enterprise engagement; contact sales@nervehq.ai.

Sub-processors

We rely on a small set of vetted providers to run Nerve. The full list — with each one’s purpose and region — lives on our sub-processors page.

Data practices

You own your data and can export it as JSON or delete your account at any time from Settings. Account deletion is a soft-delete with a 30-day grace period — nothing is destroyed immediately, and you can cancel within that window.

See our Privacy Policy for retention details and your rights, and our Security page for the technical specifics.

Compliance roadmap

We build to enterprise standards today and are formalizing certifications as we grow:

  • SOC 2 Type II — planned
  • ISO/IEC 27001 — planned
  • GDPR — data export, deletion, and sub-processor transparency available today

Request a DPA or security questionnaire

Need a Data Processing Addendum, our SOC 2 evidence package, or help completing your vendor security questionnaire? Email sales@nervehq.ai and we’ll turn it around quickly — most of the answers are already documented in our governance register.

Reporting a vulnerability

Found a security issue? Email security@nervehq.ai. See our security.txt for our disclosure policy.