Your Data, Your Control

Privacy & Data Policy

We're a security company. We take your data seriously. Here's exactly what we collect, how we protect it, and how you control it.

What We Do Not Collect

Source code — Repositories are cloned temporarily during scans, then immediately deleted. We never store your full codebase.
Container images — Pulled from your registry, scanned in memory, then deleted. We never store your images.
Payment information — All billing is handled by our payment processor. We never see or store your credit card details.
Git history — We use shallow clones (latest commit only).
Browsing data — No tracking cookies, no analytics pixels, no behavioral tracking.

How We Protect Your Data

Encryption

All credentials encrypted at rest using AES-256 (Fernet symmetric encryption)
Encryption keys stored in GCP Secret Manager, separate from the data
All data in transit encrypted with TLS 1.2+
Database encrypted at rest (GCP Cloud SQL default encryption)

Infrastructure

Hosted on Google Cloud Platform (GCP)
Scan backends are network-isolated (internal-only access)
Role-based access control for all team members
Admin access requires separate authentication

Operational

Automated daily database backups with 7-day retention
No employee access to client data without explicit support access code (client-controlled)
All support access is time-limited and auditable

Data Retention

Active Account

Your data is retained for as long as your subscription is active
Scan history is kept for trend analysis and compliance evidence
You can export your data at any time (PDF reports, CSV exports, SBOM downloads)

After Account Deletion

All data permanently deleted within 24 hours

This includes: credentials, scan results, findings, SBOM data, infrastructure topology, and team memberships.

Credentials are deleted immediately upon account deletion.

Database backups containing your data expire within 7 days of the backup rotation cycle.

Deletion is irreversible — we cannot recover your data after this process.

Account Deletion

You can delete your workspace and all associated data at any time:

  1. 1Go to Settings → scroll to bottom → “Delete Workspace”
  2. 2Type your workspace name to confirm
  3. 3Users in other workspaces keep their accounts; users with no remaining workspaces are fully removed

What gets deleted

All scan configurations and credentials
All scan results and findings
Infrastructure topology data
SBOM data and software inventory
Compliance scan results
Team memberships for this workspace
Notification preferences
Support access history

Your Rights

Access

  • View all your data in the Nuvm dashboard
  • Export findings, compliance reports, and SBOM data as PDF or CSV

Correction

  • Update your account information in Settings at any time

Data Portability

  • Executive reports (PDF)
  • Compliance reports (PDF)
  • SBOM data (CycloneDX JSON)
  • Findings export (CSV)

Restrict Processing

  • Pause any scan configuration at any time
  • Disable scheduled scanning per scan type
  • Revoke cloud credentials by updating scan configurations

Third-Party Services

Nuvm uses the following third-party services:

Google Cloud Platform — Infrastructure hosting and database
Firebase Authentication — User login and identity management
Creem — Payment processing and subscription management (we never see your payment details)
Crisp — Live chat support (your chat messages are stored by Crisp)

We do not use analytics or tracking services, advertising networks, or data brokers.

Contact

Questions about your data or privacy?

Chat with us using the chat button in the app
privacy@nuvm.cloud
Last updated: March 2026

Security you can trust

We protect your data the way we'd want ours protected. Try Nuvm risk-free.

Get Started
Setup in 5 minutes Cancel anytime NIS2 & CIS ready