Security you can trust
Nowadays protects the events, contacts, and communications you share with us. Here is how we secure that data, and where you can review our controls and documentation for yourself.
Compliance
A formal security program stands behind everything below, with controls monitored continuously.
SOC 2 Type II
In progress, with controls monitored continuously.
GDPR and CCPA
Aligned for data privacy and user rights.
Independent penetration test
Run by a third-party firm in 2026, with findings tracked to closure.
Security policies
18 policies covering access, cryptography, risk, and vendors, reviewed annually.
Vendor risk
We require data processing agreements with subprocessors that handle customer data.
Data protection
Your data is encrypted, backed up, and yours to control.
Encryption in transit
TLS 1.2+, with HTTPS enforced site-wide through HSTS.
Encryption at rest
AES-256 for all data stored in our database.
Backups
Automated, with documented recovery procedures.
Ownership
Export or delete your data on request.
Minimization
We collect only what running your events requires.
AI and data governance
We are an AI product, so we govern how models use your data as carefully as the data itself.
No model training
We require AI providers not to train their models on your data.
Provider agreements
We require data processing agreements with the AI providers we use.
Scoped access
Model access to your data is limited to the features that need it.
AI policies
Dedicated AI governance, responsible-AI, and AI privacy policies.
Access and application security
Every request is authenticated, and security is built into how we ship code.
Authentication
Industry-standard password hashing through a managed authentication provider.
Sessions
Email verification for new accounts and automatic session expiration.
API security
Bearer-token validation on every non-public route.
Access control
Role-based access, with tenant data isolated at the database level.
Injection defense
Parameterized queries and input sanitization guard against SQL injection and cross-site scripting.
Secure development
Code review and automated tests in CI before changes ship.
Infrastructure and availability
We run on audited cloud platforms with defenses at the network edge.
Cloud platforms
Independently audited cloud hosting and database providers.
Network
Managed DDoS protection and network isolation at the edge.
Monitoring
Access and activity logging for investigation.
Continuity
Documented business continuity and disaster recovery plans.
Incident response
We maintain an incident response plan and welcome reports from security researchers.
If a security incident affects your data, we will notify you promptly with clear information about what happened and how we responded. Follow live system status at status.nowadays.ai, and report a suspected vulnerability to security@nowadays.ai.
Contact
Last updated: July 2026
