What we do to keep customer data safe, and what we publish so you can verify it. This page is our living security posture — updated when a control changes, not when a sales call demands it.
AES-256 at rest for Cloud SQL, GCS, and Secret Manager. TLS 1.3 in transit with HSTS pre-loaded; non-HTTPS redirects hardened at the edge.
Primary workload in GCP us-central1 with Cloud SQL + GCS durability. EU / UK tenants can be scoped to eu-west regions via subprocessor matrix. Firestore is limited to ephemeral chat and ops state.
Hybrid Firebase Auth + NextAuth with RBAC and row-level tenant isolation enforced by Prisma middleware. API tokens are scoped per tenant with revocable leases. Admin access requires 2FA.
Cloud Run behind Cloudflare WAF + rate limiting. CSP with explicit connect-src for every LLM / tool provider, Permissions-Policy, COOP / COEP / CORP, and nonce-scoped inline scripts.
All credentials — AI provider keys, Stripe, DB URLs — live in GCP Secret Manager. Runtime reads are audited. No secret ships in any container image.
Sentry + Cloud Logging for application errors; OpenTelemetry traces for hot paths; synthetic probes + SLOs on /livez and /readyz. Sev-0/1/2 runbooks and post-mortem template live under docs/runbooks.
Vanta engagement in-flight. Evidence collection automation is wired across auth, logging, change-management, and vendor-review controls. Target: Type I in 2026.
Data Processing Agreement (GDPR Art. 28 compliant), Article 20 user export, Article 17 erasure, and a published subprocessor matrix. See DPA and Privacy Policy for processor terms.
Healthcare surfaces operate behind an explicit no-PHI gate today. BAA-capable pipeline with field-level encryption, audit logging, and PHI red-team gates is under `/api/healthcare`. Not yet HIPAA-attested.
Please report suspected vulnerabilities to security@neww.ai. We triage within one business day and will keep you informed through remediation. We do not pursue legal action against good-faith security researchers who follow this policy.
Out-of-scope: third-party services we list on /subprocessors, denial-of-service testing, and any physical or social-engineering attempts against our staff.