Trust & Security
The current public NowFlow materials emphasize clear operational controls: TLS 1.3 in transit, AES-256 at rest, 24/7 monitoring, published privacy and legal routes, and trust signals including SOC 2, GDPR, and 99.9% SLA positioning.
SOC 2
Type II controls
GDPR
Privacy coverage
99.9% SLA
Uptime target
TLS 1.3
AES-256 at rest
24/7 Monitoring
Detection & response
Trust operations
A professional trust view for enterprise buyers: encryption, access control, audit evidence, incident response, and governance controls mapped into one operating model.
Governance control loop
Live modelIdentity
Zero telemetry
Policy
Encrypted comms
Audit
Review gates
Evidence
Zero telemetry
Signal
Zero telemetry
Signal
Encrypted comms
Signal
Review gates
Operational Commitments
These are the headline commitments and controls currently visible across the NowFlow home, security, privacy, and legal pages.
TLS 1.3 for data in transit, AES-256 for stored data, and encryption-focused handling across workflows and services.
Administrative MFA, least-privilege role-based access, periodic reviews, and secure session management.
24/7 monitoring, incident procedures, communication plans, and tested recovery workflows are described publicly.
SOC 2 Type II, GDPR, CCPA, ISO 27001 in progress, and 99.9% uptime SLA appear across public materials.
Security Practices
The public security policy outlines concrete practices rather than abstract promises. These are the highest-signal themes.
Compliance posture
The matrix below shows our current posture across security, privacy, AI governance, operational continuity, and sector-specific controls. Filter by category for the parts that matter to your procurement review.
Last reviewed 2026-05-10
| Standard | Scope | Status | Evidence |
|---|---|---|---|
TLS 1.3 in transit Security | All public endpoints + service-to-service | ✓Aligned | Default cipher policy; HSTS enforced |
AES-256-GCM at rest Security | Customer data, model weights, audit logs | ✓Aligned | FIPS-grade primitives; key rotation policy |
SOC 2 Type II Security | Service Organization Controls (TSC) | ◐In progress | Programme initiated; auditor selected |
ISO 27001 Security | Information security management system | ◐In progress | Statement of Applicability drafted |
Penetration testing Security | External + internal application + infra | ✓Aligned | Annual third-party tests; report on request |
24/7 monitoring Security | SIEM + detection-as-code + on-call rotation | ✓Aligned | PagerDuty + signed incident timeline |
GDPR (EU 2016/679) Privacy | Personal data of EU residents | ✓Aligned | DPIA template; DPO contact published |
UK GDPR + DPA 2018 Privacy | Personal data of UK residents | ✓Aligned | ICO-registered controller / processor |
CCPA / CPRA Privacy | California consumer privacy | ✓Aligned | Right-to-know + delete pathways |
DPA + sub-processor list Privacy | Customer-facing data processing addendum | ✓Aligned | Standard DPA + current sub-processor list |
EU AI Act AI Governance | High-risk AI obligations (Annex III) | ✓Aligned | Risk register + human-oversight design |
ISO/IEC 42001 AI Governance | AI management system | →On roadmap | Targeted alongside ISO 27001 expansion |
NIST AI Risk Management AI Governance | AI RMF 1.0 alignment | ✓Aligned | Map / Measure / Manage controls in place |
Model card + data provenance AI Governance | Model documentation + training data lineage | ✓Aligned | ed25519-signed manifests via qmesh substrate |
Vulnerability disclosure Operational | Security@neuraparse.com response time | ✓Aligned | Acknowledged < 24 h; remediation SLA |
Incident response runbook Operational | Detection → containment → notification | ✓Aligned | Tested quarterly; customer notification SLA |
Backup + recovery Operational | RPO 24 h · RTO 4 h | ✓Aligned | Encrypted off-site backups; restore drills |
Business continuity plan Operational | BC + DR plan with annual exercise | ✓Aligned | Reviewed annually; sponsor at exec level |
HIPAA (healthcare) Sector-specific | PHI handling for healthcare customers | ✓Aligned | BAA available; design-aware controls |
ITAR / EAR (export) Sector-specific | Defense / dual-use technology | ◐In progress | Compliance review on case-by-case basis |
ISO 13485 (medical QMS) Sector-specific | Medical device development | →On roadmap | Aligned to customer-led pathways |
Legend
Need a specific attestation, DPA, or sub-processor list? Email security@neuraparse.com with the procurement contact and we'll route the right document.
Compliance & Legal
The live public stack includes dedicated pages for privacy, terms, cookies, DPA, security, and contact routing. That makes the trust surface easier to inspect and easier to use.
Privacy policy
Published with GDPR and CCPA framing, Google API data-use notes, and direct privacy contacts.
Legal hub
One public place to reach privacy, terms, cookies, DPA, and security policy material.
Incident response
The public security policy lists response procedures, recovery steps, and breach-notification commitments.
Enterprise routes
Custom paperwork, security questionnaires, and compliance follow-ups are routed through dedicated contact paths.
Use the published contact routes for support, security, privacy, or a guided NowFlow demo tailored to your stack.