Security & compliance

Your clients' data, protected

Financial advice involves sensitive personal and financial information. Every layer of Nuvano is designed to keep that data safe and help you meet your regulatory obligations.

Complete practice isolation

Every practice's data is separated at the database level. Your clients, submissions, and documents are invisible to other practices.

Encrypted in transit

All data is encrypted over TLS with HSTS enforcement. Connections are automatically upgraded to HTTPS with a one-year strict policy.

Full audit trail

Every user action is logged with structured records, giving you a complete evidence trail when you need it.

How we protect your data

Multi-tenant data isolation

Nuvano was designed as multi-tenant from day one. Clients, submissions, recommendations, and documents belonging to one practice are never accessible to another.

  • Role-based access control: Admin, Adviser, and Client Manager roles with distinct permissions
  • Client visibility modes let you control which advisers see which clients within your practice
  • All administrative actions are logged with full audit trail for oversight

Authentication and session security

Client questionnaire sessions are cryptographically signed with integrity verification. If session data is tampered with, the system detects it and rejects the request.

  • Sessions expire after 2 hours of inactivity (rolling timeout)
  • Recommendation links have configurable expiry (1 to 30 days, set by your practice)
  • CSRF protection on every form and endpoint
  • Rate limiting on questionnaire submissions to prevent abuse

Infrastructure and data storage

Nuvano runs on SOC 2 compliant cloud infrastructure with automated health checks and database monitoring. Documents are stored with time-limited access controls.

  • HTTPS enforced with HSTS preload and a one-year strict transport policy
  • Document links use pre-signed URLs that expire after 1 hour
  • Managed database with automated health monitoring and connection checks
  • All credentials stored securely and rotated regularly

Application security

The platform is built on an enterprise-grade web framework with a strong security track record. We apply additional protections on top of the framework's built-in defences.

  • Input sanitization on every request, preventing injection and cross-site scripting attacks
  • Comprehensive security headers preventing clickjacking, content sniffing, and cross-site scripting
  • Industry-standard password hashing with per-user salting
  • Browser permissions restricted: no access to location, microphone, camera, or payment APIs

Audit logging and compliance records

Advisers get audited. Nuvano generates the records automatically as part of the advice workflow, so you have evidence when you need it.

  • Comprehensive logging of all user actions and system events
  • Model history tracking: changes to client records, submissions, and recommendations are versioned
  • Security event logging: login attempts, permission checks, and session anomalies are recorded separately
  • Digital signatures captured with timestamp, IP address, and browser details for evidentiary records

Regulatory alignment

Nuvano is designed to support the regulatory requirements NZ financial advisers operate under.

Privacy Act 2020

Data isolation, access controls, and audit logging are built into the platform to support your obligations under the Privacy Act.

FMA record-keeping

The advice workflow generates disclosure acknowledgments, signed recommendations, and audit trails automatically, so you have records when the FMA asks.

Data Processing Addendum

Doing a vendor security review? Our DPA sets out how we handle your data. Read the DPA

Questions about security?

We are happy to walk through our security measures in detail. Get in touch and we will cover whatever you need.

Get in touch