Trust Center · Site of Record

Trust & Security at NOVA Labs.

Gulf-focused voice AI for the sales floor. Honest about what's shipped, honest about what's in progress. No security theatre.

SUB-100MS TO UAE PDPL ALIGNED SOC 2 READINESS FLY.IO MUMBAI TLS 1.3 AES-256 AT REST

01 · Data Residency

Your data stays in the regional edge.

NOVA's API, agent runtime, and primary database run on Fly.io in Mumbai (bom), our regional edge optimised for UAE latency (sub-100ms RTT). We moved off AWS earlier in 2026 and re-pinned to bom on 2026-05-10 after Fly's Bahrain (bah) region exhausted shared-CPU capacity. A UAE- resident region is on our roadmap and we will migrate the moment Fly offers one in-country (see Compliance Roadmap below).

Primary region

Fly.io Mumbai

bom · API (nova-labs-api), Postgres, agent runtime (nova-labs-agent)

Edge / CDN

Cloudflare + Vercel

Cloudflare in front of Vercel for the marketing site; agent traffic served from Fly.io bom

Object storage

Cloudflare R2

Voice enrolment and call artefacts on R2; static marketing assets on Vercel

Backups

Region-locked

Fly Postgres daily snapshots in bom; cross-region replication disabled by default

Telephony egress

Customer's own carrier

BYO Twilio supported; PSTN routing chosen per-deployment

02 · Encryption & Access

Encrypted in flight, encrypted at rest, audited at access.

In transit

TLS 1.3

HSTS on novalabs.ae & api.novalabs.ae · modern cipher suites only

At rest

AES-256

Fly volume encryption on the Postgres data volume; per-tenant context scoping at the row level

Secrets

Fly Secrets

App secrets stored in Fly's encrypted secrets store; no secrets in code, repo, or CI logs; rotated keys for production API tokens

Access control

Least privilege

Founder + on-call only · MFA enforced · production access logged via Fly audit logs and OpenTelemetry traces to Langfuse

03 · Compliance Roadmap

What's shipped, what's in progress.

We refuse to claim certifications we don't have. Every line below is either marked DONE, IN PROGRESS, or PLANNED — and we move them publicly as they ship.

DONE Regional edge data residency, primary region Fly.io Mumbai (bom) All production data persisted in our regional edge (Mumbai, bom) since the 2026-05-10 capacity re-pin from Fly Bahrain (bah).
DONE TLS 1.3 + HSTS across all customer-facing domains Verifiable via SSL Labs scan.
DONE AI identification & recording-consent preamble on every call Compliant with UAE consumer-protection guidance for AI-mediated calls.
IN PROGRESS PDPL alignment (UAE Federal Decree-Law No. 45 of 2021) Data-processing register, DPIA, lead-consent flow being finalised with counsel.
IN PROGRESS SOC 2 Type I — readiness assessment Auditor selection underway. Target window: completion by Q4 2026.
PLANNED ISO 27001 — Stage 1 readiness Sequenced after SOC 2 Type I; same evidence base, lighter gap.
PLANNED Customer-managed encryption keys (BYOK) For enterprise pilots that require key custody outside Fly's managed volume encryption.
PLANNED UAE-resident primary region We will migrate the primary region in-country the moment Fly.io (or a comparable provider meeting our latency and operability bar) offers a UAE-resident region. Until then, Mumbai (bom) is our regional edge.

Why we publish in-progress status. A startup that claims SOC 2 today is either lying or two years older than they look. The in-progress signal is the credibility — it tells you we know the bar, we're walking the audit, and we're not going to surprise you with a missing control halfway through procurement.

04 · Uptime & Incidents

How we run production.

Target SLO

99.5% monthly

Beta SLA — promoted to 99.9% with GA. Excludes customer-provided telephony.

Observability

Sentry + PostHog

Error tracking, release health, session replay (production data scrubbed before ingest).

Incident comms

Direct to pilot Slack

Public status page lands with Day-30 milestone; pilots get founder DM today.

Backups & recovery

RPO 24h · RTO 4h

Daily Postgres snapshots, region-locked; restore drilled quarterly.

05 · Your Data, Your Calls

How NOVA treats lead-side data.

Calls are recorded with consent on the line. NOVA identifies as an AI assistant and announces recording before the conversation proceeds. Lead phone numbers and transcripts persist only as long as required to deliver the call summary and meet UAE legal retention requirements — and are never used to train models.

No customer or lead data is used to train shared foundation models.
Per-tenant context is isolated at the database row level.
Right to deletion honoured within 30 days of written request.
Data subject access requests routed via privacy@novalabs.ae.

Security report or compliance question? security@novalabs.ae — monitored daily, acknowledged within 24 hours.

For pilot procurement and vendor security questionnaires, contact ceo@novalabs.ae.

NOVA Labs · Dubai, UAE · Site of Record · Updated 2026-05-14