Trust center.
How we handle your data, what we protect it with, and which compliance commitments we do and don't currently hold. Updated as status changes.
1. Data handling summary
What we collect:
- Account info (name, business email, company, billing address)
- Order history (SKUs, quantities, prices, ship-to addresses)
- Quote history and AI agent conversation history (for session continuity and audit)
- Usage metadata (logins, error logs, performance telemetry)
What we don't collect:
- Payment card primary account numbers (PANs). Card data is handled directly by Stripe; our systems never see a full PAN.
- Personal data of your end users (your customers' data). Our relationship is with your IT procurement team, not with your end-user systems.
Encryption:
- In transit: TLS 1.2+ for all application traffic. HTTPS enforced.
- At rest: AES-256 encryption on primary data stores.
Retention:
- Active account data: retained for the life of the account
- Closed account data: retained for 7 years post-closure for financial/regulatory record-keeping, then purged
- Conversation logs: retained for 2 years for support and audit
- Full policy: /privacy
2. Payment security
Card and ACH: Stripe is our payment processor. Stripe maintains PCI-DSS Level 1 compliance — the highest tier. Full card numbers, CVVs, and authentication data are handled entirely within Stripe; we receive only tokenized references.
PO / NET-30: Net-terms invoicing flows outside Stripe — credit-controlled invoicing managed within our accounting infrastructure. We handle billing address and AP contact information; no card-level data is stored or transmitted in the NET-30 path.
3. AI agent data handling
The AI agent that helps at PDP, cart, checkout, and post-purchase reads only what's in the conversation and your account context. The agent has read access to real-time channel data via authenticated integrations — no third-party credentials transit through your browser. The agent does not autonomously check out, place orders, or move money. Every order has a human approval before money moves. Agent conversations and tool calls are logged for audit and support; logs retained for 2 years.
4. Compliance posture
| Standard / framework | Status | Notes | |---|---|---| | PCI-DSS (payment data) | Handled via Stripe (Level 1) | We inherit PCI compliance through Stripe; no card data in our systems. | | SOC 2 Type II | In planning | Scoping and readiness work underway. Target audit window: later 2026. Not yet audited. | | ISO 27001 | Not claimed | Not currently pursuing. | | HIPAA | Not claimed at launch | We do not currently offer BAA coverage. | | FedRAMP | Not claimed | Not authorized. Not appropriate for FedRAMP-mandated workloads. | | CJIS | Not claimed | No CJIS-authorized configuration. | | State privacy (CCPA, etc.) | Supported per policy | See /privacy. | | GDPR | Applicable to EU data subjects | See /privacy. |
We will not claim SOC 2 completion on this page until the audit report is available to share.
5. Infrastructure and hosting
- Hosting: US-based cloud infrastructure
- Data residency: US data centers; customer data is not replicated outside the US
- Environment separation: production, staging, and development environments are logically separated with distinct access controls
- Change management: code changes route through automated CI checks and reviewed deployment before reaching production
Specific technology components are disclosable under NDA in security questionnaires; not detailed publicly here to avoid providing targeting information.
6. Vendor partnerships for compliance-sensitive buyers
Our vendor authorizations are independently verifiable:
| Vendor | Verification path | |---|---| | Microsoft | Microsoft Partner Directory | | AWS | AWS Partner Central | | Dell | Dell PartnerDirect reseller locator | | Cisco | Cisco Partner Locator | | Salesforce | Salesforce AppExchange partner directory | | Logitech | Logitech B2B partner program | | Zendesk | Zendesk partner directory |
Authorization letters and program tier documentation are available on request to support@nuveriq.com.
7. Requesting a security questionnaire or architecture overview
For procurement risk reviews, vendor assessments, or internal infosec due diligence:
Email: support@nuveriq.com
What to include in your first message:
- Your organization and role
- Questionnaire format (SIG Lite, SIG Full, CAIQ, custom) or specific questions
- Deadline, if any
- NDA preference (we can sign yours or provide ours)
Response SLA: Two business days to acknowledge; completed questionnaire typically returned within 5–10 business days depending on scope.
Available documentation (on request, under NDA where appropriate):
- Data flow diagram
- Architecture overview
- Subprocessor list
- Insurance certificates
- Incident response plan summary
- Data Processing Addendum (see /privacy)
8. Subprocessors
We use third-party services to operate. A current subprocessor list is maintained and available on request to account holders. Core categories:
- Cloud hosting (US infrastructure)
- Payment processing (Stripe)
- Distribution and fulfillment data exchange
- Email and transactional messaging
- Customer support tooling
- Analytics and performance monitoring
Changes to subprocessors are tracked.
9. Incident response
We maintain an incident response plan covering detection, classification, containment, communication, and post-incident review. In the event of a security incident affecting customer data, we commit to:
- Notification to affected customers within the shorter of (a) 72 hours of confirmed impact or (b) any regulatory timeline applicable
- Status updates at least every 24 hours until resolution
- Post-incident report within 30 days of incident closure
To report a suspected vulnerability or incident: support@nuveriq.com.
10. Privacy, terms, and legal
Need our security documentation?
Email support@nuveriq.com. Typical turnaround: 5–10 business days.