Security

Last updated 10 July 2026

Novato handles licences, insurance certificates, and other compliance-sensitive documents, so security is core to how we build the product. This page describes the practices we currently have in place. If you have a specific security question as part of a vendor review, contact us at support@novato.com.au.

1. Data encryption

All traffic to and from Novato is encrypted in transit via TLS. Data at rest, including uploaded documents, is encrypted at the infrastructure level by our database and storage provider, Supabase.

2. Access control

We use row-level security policies at the database layer so that a Customer's data — including worker records and documents — is only ever reachable by that Customer's own account and the workers associated with it. Administrative access to production data is restricted to authorised personnel and used only where necessary to operate or support the service.

3. Document verification pipeline

Uploaded documents are transmitted over encrypted connections to our AI verification provider, Anthropic, for automated checks, and are not retained by us for any purpose beyond compliance tracking and audit history.

4. Payments

We never store full payment card numbers. All billing is handled directly by Stripe, a PCI-DSS compliant payment processor.

5. Infrastructure and subprocessors

  • Supabase — database, authentication, and file storage.
  • Stripe — subscription billing and payment processing.
  • Anthropic — AI-assisted document verification.
  • SMS notification provider — to be confirmed; this page will be updated once SMS notifications are enabled for customers.

6. Backups and availability

Our database provider maintains regular automated backups. We monitor the platform for availability issues and work to resolve incidents promptly.

7. Vulnerability reporting

If you believe you've found a security vulnerability in Novato, please report it to support@novato.com.au. Please give us a reasonable opportunity to investigate and address any issue before disclosing it publicly, and avoid accessing or modifying data that isn't your own while testing.

8. Compliance certifications

Novato does not currently hold formal certifications such as ISO 27001 or SOC 2. We're a growing platform and are building our security program in line with the size and risk profile of the business — we'd rather state that plainly than imply otherwise.

9. Contact us

Nadar & Co. (trading as Novato)
195 Miller, North Sydney NSW 2060, Australia
support@novato.com.au