Nevorth maintains reasonable measures appropriate for a startup SaaS and relies on established third-party providers for core infrastructure. We do not claim certifications unless stated in an Order Form.
- Encryption in transit: TLS/HTTPS for external communications with Slack, Cloudflare, Make, Anthropic, OpenAI, Stripe, and our website.
- Encryption at rest: provided by subprocessors where available and as configured in their platforms, including Cloudflare D1 (decision history storage).
- Access restrictions: administrative access to service configuration and stored data is restricted to authorised personnel.
- Logging: operational logs are maintained to support reliability and troubleshooting.
- /scan data handling: Channel messages fetched via the /scan command are held in memory only during analysis processing and are never written to any database. Messages are discarded immediately after the AI analysis is complete. Only the resulting decision analysis output is stored.
- Link unfurling: All messages posted by Decision Referee have link unfurling disabled to prevent unintended data exfiltration via URL previews, in line with Slack's published security recommendations for AI-powered apps.
- Audit logging: The Service maintains an audit log of /scan usage that records only metadata: timestamp, workspace ID, channel ID, user ID, and number of messages scanned. Message content and analysis output are never included in audit logs.
- Vulnerability management: periodic updates to configurations and dependencies where applicable; prioritisation of critical issues.
- Backups/restore testing: resiliency and backups are primarily provided by subprocessors. Nevorth does not promise a specific backup/restore testing schedule unless agreed in an enterprise Order Form.
- Incident handling: Nevorth will notify customers without undue delay of confirmed personal data breaches affecting Customer Data as described in the DPA.
- Decision history storage: decision inputs, outputs, and outcome feedback are stored in Cloudflare D1, including decisions identified via the /scan command. Access to this data is restricted to the applicable Customer's account and to authorised Nevorth personnel for operational purposes.