Security built into the architecture — not bolted on.
NevTech Catalyst handles the documents, policies, and AI keys that run your business. So isolation and encryption aren’t a settings page — they’re structural. Your data is separated at the database layer, your secrets are encrypted with managed keys, and every sensitive action is recorded. Here’s exactly how.
Four controls do the heavy lifting.
Most breaches come from the boring fundamentals being optional. We made them mandatory and moved them down the stack, where they can’t be skipped by a forgotten check in application code.
Tenant isolation at the database
Every workspace’s data is separated by Postgres row-level security — enforced by the database engine, not just application code.
Secrets encrypted with managed keys
API keys and connection tokens are sealed with AES-256-GCM under a Google Cloud KMS key. Plaintext is never written to logs.
Role-based access control
Owner, admin, and member roles gate every sensitive action. Admin-only operations are checked in middleware on every request.
Everything important is audited
Key rotations, document changes, connector edits, and more are written to an append-only, per-workspace audit trail with actor and IP.
Cross-tenant data leakage is structurally impossible.
Many SaaS platforms keep tenants apart with a WHERE org_id = ? clause in application code. One missing clause, anywhere, and data leaks across customers. We don’t rely on that. Isolation is enforced by Postgres itself, through row-level security policies the database applies to every single query.
This same isolation extends to your document AI — retrieval can only ever surface chunks from your own workspace. See how the RAG engine respects tenancy →
Your keys are sealed with envelope encryption.
The most sensitive things you store with us are credentials — your own AI provider keys and the tokens for any tools you connect. We protect them with the same envelope-encryption pattern cloud providers use for their own systems.
Per-secret data keys
Each stored secret gets its own random 256-bit data key and is encrypted with AES-256-GCM, which also detects any tampering with the ciphertext.
Wrapped by Google Cloud KMS
That data key is itself encrypted (“wrapped”) by a key held in Google Cloud KMS that never leaves the KMS boundary. Decryption requires a privileged, audited KMS call.
Never logged, zeroed after use
Plaintext secrets are never written to logs, and the in-memory data key is zeroed immediately after each operation.
In transit, everything runs over HTTPS. At rest, the underlying database and file storage are encrypted by Google Cloud Platform.
Verified identity, least-privilege access.
Connections can’t be turned against your network.
Catalyst lets you connect external tools and data sources. Any feature that fetches a URL on your behalf is a potential server-side request forgery (SSRF) risk — so we guard it directly.
Private addresses blocked
Connected servers are validated before use: internal/private IP ranges and localhost are rejected, and the hostname is re-resolved to defeat DNS rebinding tricks.
HTTPS enforced
In production, connected endpoints must use HTTPS — no plaintext callbacks, no downgrade.
Rate limiting & hardened headers
The API applies per-client rate limiting and standard hardened security headers on every response.
A record of who did what, in your workspace.
Sensitive actions across the platform — storing or rotating a key, changing a member’s role, editing a connector, lifecycle events on documents and skills — are written to an append-only audit log scoped to your workspace. Each entry captures the actor and originating IP, and the log is protected by the same row-level isolation as the rest of your data.
Your business data isn’t training anyone’s model.
Not used for training
Your business data is never used to train AI models. It’s used to answer your questions, in your workspace, and nothing more.
Bring your own keys
You can run AI calls on your own provider keys (Anthropic, OpenAI, Google). They’re stored with the envelope encryption described above and used only for your workspace’s requests.
Embeddings stay yours
Document embeddings used for retrieval are isolated per workspace under the same database-level policy — they’re never pooled across customers.
Certified where it counts — and you own your data.
SOC 2 Type II
NevTech Catalyst is SOC 2 Type II certified — independently audited controls for security, availability, and confidentiality.
HIPAA
HIPAA-compliant with a Business Associate Agreement available on the Scale plan, for teams handling protected health information.
You own your workspace
Everything in your workspace is yours. On cancellation, we delete it permanently within six months.
Building your AI governance posture is a first-class part of the platform, too — the AI Conformance Statement gives you a documented, versioned policy to hand to insurers and auditors. See the governance layer →
Bring the platform to your security team.
Tenant isolation at the database, KMS-encrypted secrets, audited activity, and SOC 2 Type II + HIPAA. Start with a free assessment, or talk through the details with us.