Trust & Security

We ship the same controls the big enterprise buyers insist on. Here's what's live today and what's on the roadmap — with evidence-level dates, not marketing promises.

Certifications & attestations

SOC 2 Type I

Readiness report in hand (available under NDA)

Vanta-managed evidence collection.

SOC 2 Type II

In progress — audit window running

Target attestation date listed in MSA on request.

GDPR

In production

DPA + SCCs available. Right to export + delete implemented.

CCPA / CPRA

In production

Consumer request flow at /account/delete + /account/export.

HIPAA

BAA available for Business-tier healthcare pack

Tenant-level enforcement; not enabled by default.

ISO 27001

Planned — 2027

Depends on EU/JP enterprise demand.

Need SOC 2 evidence, a signed DPA, or a security questionnaire response? Email security@neww.ai. Average response: under 24 hours for paid tiers.

Security practices

Encryption everywhere

TLS 1.2+ in transit; AES-256 at rest (Cloud SQL + GCS). Secrets in Google Secret Manager with envelope encryption and quarterly rotation.

Tenant isolation

Every Prisma query carries workspaceId scope (enforced via a CI gate). Cross-tenant access is architecturally impossible from application code — no shared row fetch paths.

Data residency

US by default. EU residency available on Business+ (EU Cloud Run region + eu-west1 Postgres). APAC region on request. LLM calls route to the provider region that matches your tenant setting.

Identity + access

MFA via TOTP + WebAuthn; SAML + SCIM on Business+ via WorkOS. Session tokens rotate on privilege change. All admin actions land in an append-only AuditEvent log.

Monitoring + observability

Cloud Run stdout → BigQuery (queryable logs). Sentry errors + Web Vitals. OpenTelemetry traces for every LLM call. 24/7 paging to founder + on-call engineer for SEV-1.

Incident response

SLA: customer notification within 72h of confirmed incident. Postmortem published within 5 business days. Runbook at /docs/ops/DR_RUNBOOK (available on request).

Subprocessors

Full list of third parties that can process customer data. Updated within 30 days of any addition.

Subprocessor	Purpose	Residency
Google Cloud (GCP)	Compute + Postgres + Storage	us-central1 default
Cloudflare	CDN + WAF + DDoS (roadmap)	global edge
Anthropic	Primary LLM provider	US
OpenAI	Fallback LLM provider	US
Groq	Fast-tier LLM (economy routes)	US
Stripe	Payments + subscription billing	global (PCI-L1)
Resend	Transactional email	US
Sentry	Error monitoring	US
PostHog Cloud	Product analytics (opt-out)	US
Firebase Auth	Identity provider	US (Google)
WorkOS	SAML/SCIM for Business+ tier	US
Vanta	Compliance evidence collection	US

Documents

Privacy Policy— how we handle personal data.
Terms of Service— the contract that applies to all accounts.
Data Processing Agreement (DPA)— signed copy on request.
Status & incident history— uptime + postmortems.
security.txt— vulnerability reports + coordinated disclosure.

Reporting a vulnerability

We take coordinated disclosure seriously. Email security@neww.ai with a proof-of-concept. We acknowledge within 24 hours, provide a triage update within 72 hours, and publish fixes within 30 days for anything high-severity. No lawyer-first takedowns — we'll work with you on disclosure timing.

Bug bounty program is in design (see roadmap). Until then we recognize reporters in /security/thanks.