Compliance Center

Novastraxis has maintained an unqualified SOC 2 Type II attestation since 2018, covering the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. The audit scope encompasses the entirety of the Novastraxis cloud infrastructure platform, including all 48 global regions, the Zero-Trust Security Fabric, Data Mesh Engine, customer-facing APIs, and internal administrative systems. The most recent examination period covers twelve consecutive months of operations (December 2024 through November 2025) and was conducted by Deloitte & Touche LLP. No exceptions or qualified findings were reported. The SOC 2 Type II report is renewed annually and is available to customers and prospective customers under NDA.

Novastraxis holds ISO 27001:2022 certification for its Information Security Management System (ISMS), which covers the design, development, deployment, and operation of cloud infrastructure and security services across all global offices and data center locations. Certification was first achieved in 2019 and has been successfully maintained through annual surveillance audits and a full recertification cycle in 2025, transitioning to the 2022 revision of the standard. The ISMS scope includes all aspects of information asset management, risk assessment and treatment, access control, cryptographic controls, physical security, operations security, communications security, supplier relationships, incident management, business continuity, and compliance. BSI Group serves as the independent certification body.

ISO 27017 provides cloud-specific security controls as an extension to ISO 27001. Novastraxis holds this certification to demonstrate implementation of additional cloud security measures including shared responsibility delineation, virtual machine hardening, cloud service customer data isolation, virtual network security, and cloud-specific operational procedures. This certification is particularly relevant for customers subject to regulatory requirements that mandate cloud service provider security assurances beyond the baseline ISO 27001 controls.

ISO 27018 establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Information (PII) in public cloud computing environments. Novastraxis holds this certification to provide assurance regarding our handling of customer personal data, including controls for consent and choice, purpose limitation, data minimization, use and retention limitation, openness, transparency, and accountability. The certification covers all data processing operations where Novastraxis acts as a PII processor on behalf of its customers.

Novastraxis achieved FedRAMP High Provisional Authority to Operate (P-ATO) in 2020, sponsored by the General Services Administration (GSA). FedRAMP High authorization represents the most rigorous security baseline available through the FedRAMP program and is required for systems processing the federal government's most sensitive unclassified data (impact level: high confidentiality, high integrity, high availability). The authorization scope includes over 421 security controls from NIST SP 800-53 Rev 5, implemented across our dedicated GovCloud regions in Ashburn, Virginia and San Antonio, Texas. Coalfire Systems serves as our third-party assessment organization (3PAO). Continuous monitoring deliverables, including monthly vulnerability scans, annual assessments, and Plan of Action and Milestones (POA&M) updates, are submitted to the FedRAMP PMO on schedule. Novastraxis is one of fewer than 20 cloud service providers to hold FedRAMP High authorization.

Novastraxis maintains compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act for customers who process, store, or transmit Protected Health Information (PHI) on our platform. Compliance is verified through annual independent assessments conducted by Coalfire Systems, covering the HIPAA Security Rule (administrative, physical, and technical safeguards), the Privacy Rule (as applicable to business associates), and the Breach Notification Rule. Novastraxis executes Business Associate Agreements (BAAs) with all customers who require HIPAA compliance. BAAs are available at no additional cost for all Enterprise tier subscriptions. Our HIPAA-eligible services include compute, storage, database, networking, key management, and monitoring services across all commercial regions.

Novastraxis is certified as a PCI DSS Level 1 Service Provider, the highest level of certification under the Payment Card Industry Data Security Standard. This certification covers our infrastructure services used by customers to process, store, and transmit cardholder data. The assessment scope includes network segmentation, access controls, encryption, logging and monitoring, vulnerability management, and incident response procedures. As a Level 1 Service Provider, Novastraxis undergoes an annual on-site assessment by a Qualified Security Assessor (QSA) and submits a Report on Compliance (ROC) covering all 12 PCI DSS requirements and over 300 individual controls. Our Attestation of Compliance (AOC) is available to customers upon request.

Novastraxis complies with the General Data Protection Regulation (GDPR) and has been operating in conformance with GDPR requirements since May 2018. In accordance with Article 28, Novastraxis acts as a data processor on behalf of its customers (data controllers) and provides comprehensive Data Processing Agreements (DPAs) incorporating the European Commission's Standard Contractual Clauses (SCCs) for international data transfers. Novastraxis has appointed a Data Protection Officer (Dr. Henrik Larsson) and has designated Novastraxis Solutions EU B.V. (Herengracht 420, 1017 BZ Amsterdam, The Netherlands) as its EU representative pursuant to Article 27. We maintain Records of Processing Activities (ROPA), conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, and have implemented technical and organizational measures in accordance with Article 32, including pseudonymization, encryption, and regular security testing.

Novastraxis complies with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). As a service provider under the CCPA/CPRA, Novastraxis processes personal information only on behalf of and under the instructions of its customers. We do not sell personal information, nor do we share personal information for cross-context behavioral advertising purposes. Our privacy practices include honoring consumer rights requests (right to know, delete, correct, and opt-out), maintaining appropriate data processing agreements, implementing reasonable security measures, and conducting regular privacy impact assessments. Annual compliance reviews include assessment of our data inventory, processing activities, privacy notices, and consumer rights fulfillment processes.

Novastraxis holds CSA STAR (Security, Trust, Assurance, and Risk) Level 2 Attestation, which combines the requirements of the Cloud Security Alliance's Cloud Controls Matrix (CCM) with the rigor of an independent third-party assessment. The attestation covers 197 controls across 17 domains, including application and interface security, audit assurance and compliance, business continuity management, change control, data security, datacenter security, encryption, governance, human resources, identity and access management, infrastructure and virtualization, interoperability and portability, mobile security, security incident management, supply chain management, threat and vulnerability management, and universal endpoint management. Our completed CAIQ (Consensus Assessments Initiative Questionnaire) is publicly available on the CSA STAR Registry.

Novastraxis has implemented security and privacy controls aligned with NIST Special Publication 800-53 Revision 5, 'Security and Privacy Controls for Information Systems and Organizations.' Our implementation covers the High baseline control set (over 421 controls across 20 control families), which is the most comprehensive baseline defined by NIST and is required for systems processing high-impact federal information. Control implementation is assessed annually as part of our FedRAMP continuous monitoring program. Novastraxis also aligns with the NIST Cybersecurity Framework (CSF) v2.0 and publishes a mapping between our control implementation and the CSF Identify, Protect, Detect, Respond, and Recover functions.

Novastraxis holds StateRAMP authorization at the High impact level, enabling state and local government agencies to procure our cloud services through a standardized, reciprocal security assessment framework. StateRAMP leverages the NIST 800-53 control framework and is recognized by participating states as an equivalent to individual state security assessments. Our StateRAMP authorization covers the same scope as our FedRAMP High authorization and is maintained through continuous monitoring deliverables submitted to the StateRAMP PMO. The authorization enables streamlined procurement for state and local government customers across all 50 states.