Security Policy

Effective Date: 11th day of Februrary, 2026
Issued by: Nativ Technologies, Inc.

1. Infrastructure and Hosting

  • Nativ's backend services are hosted on Google Cloud Platform (GCP), which complies with leading security standards including ISO 27001, SOC 2/3, and GDPR.

  • All API traffic is encrypted over HTTPS (TLS 1.2 or higher).

  • Compute infrastructure runs on Google Cloud Run with a minimum of 2 active instances for high availability.

  • All secrets and credentials are stored in Google Secret Manager, never in source code.

  • File storage uses Google Cloud Storage with service-account-restricted access policies.

2. Access Control

  • Internal systems use role-based access control (RBAC) with three roles: Admin, Maintainer, and Reviewer, each with granular permissions.

  • All administrative access requires authentication via JWT tokens or API keys.

  • Multi-factor authentication (MFA) via TOTP is available for all accounts and can be enforced organization-wide by team administrators.

  • Single sign-on (SSO) via SAML 2.0 is supported, with optional domain-level enforcement.

  • API keys are stored as SHA-256 hashes and support expiry dates.

  • Access logs are maintained and reviewed periodically.

3. Application Security

  • Rate limiting: All API endpoints are protected by rate limiting (120 requests/minute per IP globally, with tighter limits on authentication, MFA, and API key endpoints).

  • Security headers: All responses include Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options (DENY), X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, and Permissions-Policy.

  • CORS restrictions: API access is restricted to known origins (production dashboard, verified preview deployments, and plugin sandboxes).

  • Input validation: All API inputs are validated using typed schemas. File uploads are restricted by type and size.

  • Dependency scanning: Automated vulnerability scanning via Dependabot (weekly) and CodeQL (static analysis) across all repositories.

4. Content Handling

  • Nativ does not retain customer content after processing unless the user explicitly saves it (e.g., to translation memory).

  • Processing workflows are stateless by default. Cloud Run instances are ephemeral.

  • All processing begins only when initiated by the user. There is no background syncing or automatic data capture.

  • Customer content is never logged in plaintext. Application logs record only operation metadata (language, word count, status).

5. Security Monitoring

  • Intrusion detection: Google Cloud Security Command Center is enabled for continuous vulnerability scanning and threat detection.

  • Uptime monitoring: API availability is monitored every 60 seconds with automated alerting.

  • Security event logging: Structured security events (authentication successes/failures, rate limit triggers, API key usage, MFA events) are logged to Google Cloud Logging.

  • Log retention: Security logs are retained for 90 days in a dedicated log bucket.

  • Alerting: Automated alerts are configured for service downtime, high error rates, and security warning spikes, with email notification to the security team.

  • Security dashboard: A real-time security metrics dashboard tracks request volumes, error rates, latency, log volumes, and uptime.

6. External Services

  • Only explicitly approved third-party services are used. A complete list of subprocessors is maintained at usenativ.com/subprocessors.

  • All vendors are vetted and compliant with relevant security and privacy standards (SOC 2, ISO 27001, GDPR).

  • A formal quarterly vendor review process is in place to assess ongoing compliance, security posture, and access permissions.

  • Integration credentials are encrypted at rest (HMAC-SHA256) and follow least-privilege principles where supported by the platform.

7. Data Loss Prevention

  • Customer content is processed in-memory and not persisted to disk unless explicitly saved by the user.

  • AI providers (OpenAI, Google Gemini) are contractually prohibited from using API data for model training.

  • Row-level security (RLS) in our database ensures tenant isolation - users can only access their own team's data.

  • All integration data flows use TLS 1.2+ and are initiated only by explicit user action.

8. Vulnerability Management

  • Automated dependency scanning (Dependabot) runs weekly across all repositories.

  • Static application security testing (CodeQL) scans code on every push and pull request.

  • Vulnerability remediation SLAs: Critical within 7 days, High within 14 days, Medium within 30 days, Low within 90 days.

  • A penetration test program is in place, with the first independent assessment scheduled for Q1 2026.

9. Incident Response

  • Nativ maintains a comprehensive incident response plan with defined severity levels (SEV-1 through SEV-4), response procedures, and escalation paths.

  • In the event of a data breach, affected customers will be notified within 72 hours in accordance with GDPR and CCPA requirements.

  • Supervisory authorities (ICO, California AG) will be notified as required by applicable regulations.

  • Audit logs and diagnostics will be made available under NDA if requested.

  • Post-incident reviews are conducted for all SEV-1 and SEV-2 incidents.

10. Compliance

  • Privacy: A comprehensive privacy policy is published at usenativ.com/privacy, including DSAR procedures, data retention schedules, and AI processing disclosures.

  • GDPR: Records of Processing Activities (ROPA) are maintained per Article 30. Data subject rights requests are fulfilled within 30 calendar days.

  • AI governance: An AI Privacy Impact Assessment is maintained and reviewed annually or when AI providers change.

  • Certifications: SOC 2 Type II certification is targeted for Q4 2026.

11. Contact

Security Officer

Nativ Technologies, Inc.

1111B S Governors Ave, #23499

Dover, DE 19904

Email: founders@usenativ.com

To report a security vulnerability, please email founders@usenativ.com with the subject line "Security Vulnerability Report."