Trust

Security, compliance,and audit posture.

Nuviax ships enterprise controls today and is pursuing formal certifications through 2026. The wording on this page is the truth of the current state. If your compliance office needs anything more specific, contact us and we will share the underlying evidence under NDA.

Shipping today

The controls the platform provides right now.

Encryption

AES-256 at rest. TLS 1.3 in transit. Customer-managed keys available on the enterprise tier.

Zero-trust architecture

No implicit trust between services. Every internal call is authenticated and authorized against a policy the customer can inspect.

Isolated tenant environments

Per-customer isolation at the compute, storage, and network layer. Sovereign VPC deployments supported for regulators that will not accept multi-tenant infrastructure.

Audit trail on every interaction

Every AI call writes a structured evidence record with caller identity, policy applied, tokens consumed, and downstream action. Retention matches the customer's records policy.

2026 compliance roadmap

None of these certifications are complete yet.

The four frameworks below are on the 2026 roadmap. Target dates are what we currently believe. Under NDA we can share readiness reports, gap-analysis outputs, and evidence packages. If your buying decision is gated on a certification not yet complete, tell us and we will map the specific controls you need against what is shipping today.

SOC 2 Type II

Roadmap 2026

Type I readiness assessment in progress. Type II audit contracted for a 6-month observation window in 2026.

ISO 27001

Roadmap 2026

Gap analysis complete. Statement of Applicability drafted. Stage 1 audit targeted for 2026.

HIPAA

Roadmap 2026

BAA-ready deployment pattern shipping today. Full HIPAA compliance program targeted for 2026 to support production PHI workloads.

FedRAMP Moderate

Roadmap 2026

Baseline SSP appendix drafted. Sponsoring agency conversations underway. Full ATO targeted for late 2026 / early 2027.

Data handling

Your data does not train foundation models.

No customer data is used to train foundation models. No customer data is shared with third-party LLM providers outside the scope you explicitly approve. Optional fine-tuning happens only within your isolated tenant deployment.

Model providers Nuviax routes to are contractually bound (via BAAs and Data Processing Agreements) not to retain or train on your prompts and outputs. The AI Gateway product enforces this at the routing layer.

Data residency is configurable per deployment. Sovereign VPC deployments keep every byte inside your accredited boundary. See the Sovereign VPC solution page for the deployment pattern.

Security questions your compliance team should send to us directly.

For security questionnaires, pen-test reports, insurance certificates, subprocessor lists, and readiness-report requests, contact connect@nuviax.ai or book an architecture review. We respond within one business day.

Page last reviewed: July 16, 2026