newtral
Sign inBook a demoHire Noa
Security & trust

Built for regulated work.Audited like it.

Noa is the system of record for your disclosures, evidence, and audit trail. Security is the prerequisite, not the feature.

Certification
SOC 2 Type II
Independent annual audit.
Certification
ISO 27001
Information security management.
Encryption
AES-256
In transit and at rest.
Availability
99.95%
Enterprise SLA, audited quarterly.
Data sovereignty

Your data, where you need it.

Customer data is yours. We deploy in the region your obligations require, on the infrastructure your team trusts.

  • Region of choice
    Deploy in the cloud region your contract specifies. Available in all major hyperscaler regions on request.Regional, in-tenant, and air-gapped deployments available for enterprise.
  • Tenant model
    Single-tenant logical isolation by default. Dedicated infrastructure for enterprise tiers.
  • Ownership
    You own every byte. Export to JSON, CSV, or PDF at any time. Customer data is never used to train shared models.
  • Cross-border transfer
    Standard Contractual Clauses available. DPA tailored to your jurisdiction on enterprise plans.
Access & identity

Least privilege.Always on.

Authentication, authorisation, and audit logging are first-class. Connect Noa to your existing identity provider, keep your existing access policies.

  • SSO
    SAML 2.0 and OIDC. Okta, Azure AD / Entra, Google Workspace, Ping, Auth0.
  • Provisioning
    SCIM 2.0 for user lifecycle. Just-in-time provisioning supported.
  • RBAC
    Granular role-based access at the workspace, project, KPI, and document level.
  • MFA
    Required by default. WebAuthn / FIDO2 hardware keys supported.
  • Audit logs
    Every read, write, and admin action logged. Export to your SIEM via webhook or syslog.
AI & data handling

Your data isn’t the training set.

Customer data never trains shared models. Bring your own LLM contract, or use ours under strict zero-retention terms.

  • Model providers
    OpenAI, Anthropic, AWS Bedrock, Azure OpenAI. Enterprise can pin to a single provider.
  • Retention
    Zero-retention contracts with all upstream providers. Prompts and completions are not logged for training.
  • BYO-LLM
    Bring your own deployment, your own keys, your own region. Available on enterprise tier.
  • Output review
    Every AI-generated draft, KPI, and evidence link is marked for human review. Noa never publishes without sign-off.
Operations

Boring on purpose.

The same disciplined operations posture you expect from your core financial systems.

  • Backups
    Continuous, point-in-time restore. 30-day rolling retention by default.
  • Disaster recovery
    RPO 5 minutes. RTO 1 hour. DR exercises run quarterly.
  • Vulnerability management
    Continuous SCA + SAST. External pen tests annually. Coordinated disclosure program.
  • Sub-processors
    Public list maintained, updated with 30-day notice. See Privacy policy.

Need our Trust Center, DPA, or sub-processor list?

Our security team responds to enterprise diligence within one business day. SOC 2 report, ISO 27001 certificate, pen-test summaries, and a tailored DPA available on request.

Talk to securityRequest the Trust Center