Security posture — what happens to your data
How Star Nova AI handles visitor and customer data across the public site, the assessment, the Training Center, and admin surfaces. Sub-processor list, retention windows, and the controls a procurement reviewer can verify.
Where your data goes, by surface
| Surface | Data collected | Store | Retention | LLM use |
|---|---|---|---|---|
| Public marketing pages | IP, user-agent, referrer (analytics only) | Supabase `page_views` + Plausible / GA4 | 90 days raw, then aggregated indefinitely | None |
| AI Readiness Assessment | Submitted answers + email (after lead-gate) | Supabase `assessments` + `leads` | Indefinite while the account is active | Google Gemini (text refinement of the report narrative). No persistence beyond the request. |
| AI Training — quote-request, boutique inquiry, "Meet an AI consultant" | Form payload (name, email, company, intent) + source path | Supabase `service_inquiries` | Indefinite while we are in active correspondence | None |
| Cohort waitlist + ROI-Lab waitlist + Experience-Lab waitlist | Email + magnet slug | Supabase `leads` + `service_inquiries` | Until unsubscribe | None |
| Prompt Playground / Diff Coach / Skills-Gap Auditor | Submitted prompt text + IP (for rate-limit only) | Upstash Redis (rate-limit counters only, 24h TTL). Prompt text is NOT persisted. | Counters: 24h. Prompts: not stored. | Google Gemini Flash (free tier). Subject to Google’s API terms; no data persistence on our side. |
| Self-issued Open Badges 3.0 credential | Recipient email + evidence reference | Supabase `training_credentials` | Indefinite (badges are designed to be permanent) | None |
Controls a reviewer can verify
TLS everywhere
All traffic terminates at Azure Front Door with HTTPS-only enforcement. No HTTP fallback is permitted.
Secrets in vault, never in repo
Every credential (Supabase service role, Gemini API key, Resend key, OB3 issuer private key, Upstash REST token, Turnstile secret) lives in the Azure SWA configuration store. The repository’s registry-drift audit (lib/admin/resources.ts) fails the build if a code path references an env var that is not registered.
Row-level security by default
Supabase RLS denies by default. Public reads are explicit per-table policies. Service-role writes only happen in server-side API routes, never in client components.
Least privilege for admin surfaces
/admincenter is gated by Supabase Auth + a role check (`profiles.role in (admin, super_admin)`). Sensitive operations (admin invite/revoke, OB3 keypair rotation, rate-limit reset) require `super_admin`. All admin actions append to an immutable audit log.
Self-issued Open Badges 3.0 — verifiable offline
Credentials are signed with an Ed25519 keypair. The public verification key is served at /.well-known/openbadges-issuer/jwks.json so any third party can validate a badge without contacting us. The private key never leaves the Azure SWA secret store.
Cost-governed LLM surfaces
Wave-1 uses Google Gemini Flash on the free tier only. Per-IP cap of 2 runs/day on the Playground and Diff Coach; 1 run per email on the Skills-Gap Auditor. Above the cap, a canned-response fallback ships; no paid LLM key is configured.
Sub-processor list
Updated whenever a new integration ships. If a vendor is missing from this list, it is not processing data for us.
| Vendor | Purpose | Data class | Region | Trust page |
|---|---|---|---|---|
| Microsoft Azure (Static Web Apps) | Hosting + serverless API runtime | All traffic | East US | Link |
| Supabase | Auth + primary database | All persisted data | AWS us-east-1 | Link |
| Resend | Transactional email (inquiries, drips) | Email address + email body | AWS us-east-1 | Link |
| Cal.com | "Meet an AI consultant" + discovery booking | Name, email, booking metadata | EU | Link |
| Google (Gemini API, free tier) | LLM proxy for assessment narrative + playground + skills-gap | Prompt text only (no PII required) | Global | Link |
| Upstash Redis | Rate-limit + budget-guard counters | IP-derived hash + counter values | AWS us-east-1 | Link |
| Cloudflare Turnstile | Bot/CAPTCHA on free-tool surfaces | Visitor signals (no PII) | Global | Link |
| Plausible Analytics | Aggregate site analytics | No cookies, no PII | EU | Link |
Frequently asked
Do you train models on customer data?
No. We do not fine-tune or train any model on customer data, prompts, or assessment answers. The Gemini free tier is subject to Google’s API terms; we recommend reviewing those if your use case is sensitive.
Where are backups stored and for how long?
Supabase runs daily point-in-time backups under its standard plan. We do not maintain a separate copy of customer data outside Supabase.
Can you sign a DPA?
Yes — email info@starnovai.com with your standard DPA. We can also countersign the Supabase + Resend + Cal.com DPAs that already cover our processing.
Can you complete our security questionnaire?
Yes — the Wave-2 Vendor Questionnaire Autofill stub returns canned answers derived from this page. For Wave-1, email the questionnaire to info@starnovai.com and we respond manually.
How do I report a security issue?
Email info@starnovai.com with subject "Security report". We acknowledge within one business day.
Use the answers below to populate SIG Lite, CAIQ, or HECVAT entries. Each row points to the public source on this site so a reviewer can verify independently. The full auto-fill build (SIG / CAIQ / HECVAT adapters) is on the Wave-2 backlog.
Question 1
Where is customer data stored?
Customer data is stored in Microsoft Azure (US regions) and Supabase Postgres. Backups are encrypted at rest with AES-256 and held for 30 days.
Source: /proof/security#data-residency
Question 2
Do you train AI models on customer data?
No. All LLM calls go through API endpoints (OpenAI, Anthropic, Azure OpenAI, Google Gemini free-tier) under terms that prohibit training on submitted content. Free-tool prompts (Playground, Skills-Gap Auditor) carry an in-product warning against pasting confidential data.
Source: /proof/security#ai-use
Question 3
Who has access to production systems?
Production access is limited to two named individuals on a single-developer team using SSO with hardware-backed second factors. All access is audit-logged in Supabase and reviewed monthly.
Source: /proof/security#access
Question 4
Do you have SOC 2 / ISO 27001?
We are not yet SOC 2 or ISO 27001 certified. We follow CIS Controls v8 IG1 and publish our control mapping on /proof/security. A DPA is available on request.
Source: /proof/security#certifications
Question 5
How are incidents reported?
Material security incidents are disclosed to affected customers within 72 hours via the email of record. Status is mirrored on /proof/security and in the changelog.
Have a security or procurement question?
One inbox, one human, one business-day acknowledgement.
info@starnovai.com