Protecting our customers' data at all times is our highest priority. This security summary provides an overview of the security practices in place to achieve this goal. Have any questions or feedback? Please feel free to contact us at security@novonto


Our security team consists of security experts focused on improving the security of our organization. Our employees receive training in responding to security incidents and are available 24/7.


Cloud infrastructure: All of our services run in the cloud. We do not host or run our own routers, load balancers, DNS servers or physical servers. Our service is built on Amazon Web Services and Private VPS servers. They provide strong security measures to protect our infrastructure and meet most certifications.

Data center security: our data center is located in Germany. It is a Tier IV, PCI DSS and ISO 27001 compliant facility. Our servers are physically separated from other customers in the data center. The data center facilities are secured 24/7 with various security measures (guards, CCTV, electronic access control, etc.). There is monitoring and alarms for security breaches, power, HVAC and temperature.


Our network security architecture consists of multiple security zones. We monitor and protect our network to ensure that no unauthorized access occurs using: 1. A virtual private cloud (VPC), bastion host or VPN with network access control lists (ACLs) and no public IP addresses. 2. and firewall that monitors and manages incoming and outgoing network traffic. 3. An Intrusion Detection and/or Prevention technology (IDS/IPS) solution that monitors and blocks potentially malicious packets. 4. IP address filtering.


We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.


Encryption during transmission: All data sent to or from our infrastructure is encrypted during transmission via industry standards such as Transport Layer Security (TLS). You can view our SSLLabs report here. Encryption at rest: All of our user data (including passwords) is encrypted using proven encryption algorithms in the database.


Any user can request deletion of usage data by contacting customer support. More information about our privacy settings can be found in our Privacy Statement.


We back up all of our critical resources and try to restore the backup regularly to ensure fast recovery time in case of disaster. All of our backups are encrypted.


We use a security monitoring solution to understand the security of our applications, identify attacks and respond quickly to a data breach. We use technologies to monitor exceptions, maintain logs and detect anomalies in our applications. We collect and store logs to provide an audit trail of our applications' activities.


We develop according to security best practices and frameworks (OWASP Top 10, SANS Top 25). We use the following best practices to ensure the highest level of security in our software: Developers regularly participate in security training to stay abreast of common vulnerabilities and threats. We regularly check our code for security vulnerabilities. We regularly update our dependencies and ensure there are no known vulnerabilities.


Two-factor authentication: We provide a two-factor authentication mechanism to protect our users from account takeover attacks. Setting up this additional security measure is optional, but highly recommended to increase the security of sensitive data. Account takeover protection: We protect our users from data breaches by monitoring and blocking brute force attacks.

Protection against account takeover: We protect our users from data breaches by monitoring and blocking brute force attacks.

Role-based access control: Role-based access control (RBAC) is offered on all our accounts and allows users to define roles and permissions.


EU-US and Switzerland-US Privacy Shield: Our company complies with the EU-US and Switzerland-US Privacy Shield Frameworks for regulating data privacy between the European Union and the United States.

ISO 27001: Our company follows the ISO/IEC 27001 framework. This standard provides a framework for establishing and maintaining an information security management system (ISMS) to secure sensitive information through a risk management process that combines IT systems, people and processes.

GDPR: We comply with the General Data Protection Regulation (AVG). The purpose of the AVG is to protect EU citizens' private data and give them more control over their personal information. Contact us for more information on how we comply with the AVG.


All payment instrument processing is securely outsourced to a PCI Level 1 Service Provider. We do not collect payment data and are therefore not subject to PCI obligations. We process and store your payment data securely according to strict Payment Card Industry Data Security Standards (PCI DSS). We are certified as a PCI Service Provider.


Our strict internal process prevents employees or administrators from accessing user data. Limited exceptions may be made for customer support. All of our employees sign a confidentiality and non-disclosure agreement upon joining the company to protect our customers' sensitive information.

Last modified: January 1, 2024.