Trust
Nuviax ships enterprise controls today and is pursuing formal certifications through 2026. The wording on this page is the truth of the current state. If your compliance office needs anything more specific, contact us and we will share the underlying evidence under NDA.
Shipping today
Encryption
AES-256 at rest. TLS 1.3 in transit. Customer-managed keys available on the enterprise tier.
Zero-trust architecture
No implicit trust between services. Every internal call is authenticated and authorized against a policy the customer can inspect.
Isolated tenant environments
Per-customer isolation at the compute, storage, and network layer. Sovereign VPC deployments supported for regulators that will not accept multi-tenant infrastructure.
Audit trail on every interaction
Every AI call writes a structured evidence record with caller identity, policy applied, tokens consumed, and downstream action. Retention matches the customer's records policy.
2026 compliance roadmap
The four frameworks below are on the 2026 roadmap. Target dates are what we currently believe. Under NDA we can share readiness reports, gap-analysis outputs, and evidence packages. If your buying decision is gated on a certification not yet complete, tell us and we will map the specific controls you need against what is shipping today.
Type I readiness assessment in progress. Type II audit contracted for a 6-month observation window in 2026.
Gap analysis complete. Statement of Applicability drafted. Stage 1 audit targeted for 2026.
BAA-ready deployment pattern shipping today. Full HIPAA compliance program targeted for 2026 to support production PHI workloads.
Baseline SSP appendix drafted. Sponsoring agency conversations underway. Full ATO targeted for late 2026 / early 2027.
Data handling
No customer data is used to train foundation models. No customer data is shared with third-party LLM providers outside the scope you explicitly approve. Optional fine-tuning happens only within your isolated tenant deployment.
Model providers Nuviax routes to are contractually bound (via BAAs and Data Processing Agreements) not to retain or train on your prompts and outputs. The AI Gateway product enforces this at the routing layer.
Data residency is configurable per deployment. Sovereign VPC deployments keep every byte inside your accredited boundary. See the Sovereign VPC solution page for the deployment pattern.
For security questionnaires, pen-test reports, insurance certificates, subprocessor lists, and readiness-report requests, contact connect@nuviax.ai or book an architecture review. We respond within one business day.
Page last reviewed: July 16, 2026