Last updated 10 July 2026
Novato handles licences, insurance certificates, and other compliance-sensitive documents, so security is core to how we build the product. This page describes the practices we currently have in place. If you have a specific security question as part of a vendor review, contact us at support@novato.com.au.
All traffic to and from Novato is encrypted in transit via TLS. Data at rest, including uploaded documents, is encrypted at the infrastructure level by our database and storage provider, Supabase.
We use row-level security policies at the database layer so that a Customer's data — including worker records and documents — is only ever reachable by that Customer's own account and the workers associated with it. Administrative access to production data is restricted to authorised personnel and used only where necessary to operate or support the service.
Uploaded documents are transmitted over encrypted connections to our AI verification provider, Anthropic, for automated checks, and are not retained by us for any purpose beyond compliance tracking and audit history.
We never store full payment card numbers. All billing is handled directly by Stripe, a PCI-DSS compliant payment processor.
Our database provider maintains regular automated backups. We monitor the platform for availability issues and work to resolve incidents promptly.
If you believe you've found a security vulnerability in Novato, please report it to support@novato.com.au. Please give us a reasonable opportunity to investigate and address any issue before disclosing it publicly, and avoid accessing or modifying data that isn't your own while testing.
Novato does not currently hold formal certifications such as ISO 27001 or SOC 2. We're a growing platform and are building our security program in line with the size and risk profile of the business — we'd rather state that plainly than imply otherwise.
Nadar & Co. (trading as Novato)
195 Miller, North Sydney NSW 2060, Australia
support@novato.com.au