// Trust & Security Report
Noti-Fire Apps Ltd. d/b/a Novu
Open-source notification/communication infrastructure (novu.co) for developers and product teams, spanning a self-hosted open-source core (MIT), a managed multi-tenant cloud (Novu Cloud), an enterprise Hybrid-Cloud deployment, and a newer 'Novu Connect' agent-to-channel feature that lets AI agents send notifications across Slack, Email, SMS, Push, Chat, Teams, Telegram, etc.
Certifications held
4
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.novu.co“Compliance | SOC 2 Type II | ISO 27001:2013 | GDPR | HIPAA ... Compliance & Reports | SOC 2 Type II Report”
Verify on trust.novu.co“ISO 27001 2022 Report | ISO 27001 2022 Certificate (listed under Compliance & Reports); cross-verified: 'ISO 27001: Certification achieved with Stage 1 and Stage 2 audits completed'”
Verify on trust.novu.co“Compliance ... GDPR (listed as a compliance program on the trust center); cross-verified: 'GDPR: Full compliance with separate data residency options in EU and US regions'”
Verify on trust.novu.co“Compliance ... HIPAA (listed as a compliance program on the trust center); cross-verified: 'HIPAA: Compliant with Business Associate Agreements available for healthcare organizations'”
> Show 4 unconfirmed / not-held certifications
source: trust.novu.coNo public evidence. Trust center compliance section lists only SOC 2 Type II, ISO 27001:2013, GDPR, and HIPAA; no AI-governance certification is mentioned on trust.novu.co or docs.novu.co.
source: trust.novu.coNo public evidence found on any novu.co-owned page or in web search results.
source: trust.novu.coNo public evidence. Trust center notes credit card information is a category of 'Data collected' but does not list a PCI DSS attestation among its compliance programs.
source: trust.novu.coNo public evidence found on any novu.co-owned page or in web search results.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Novu Cloud offers multiple data-residency regions (US, EU, UK, Singapore, Australia, Japan, South Korea per docs.novu.co); region is selected at account creation and cannot be migrated after the fact without contacting sales.
Neither the privacy policy (novu.co/privacy/) nor the DPA (novu.co/dpa/) mentions AI/ML model training on customer data, one way or the other. Given Novu's own product now includes AI-agent notification routing ('Novu Connect'), the absence of an explicit no-training statement is a gap worth flagging rather than assuming either way.
// Security controls
Compliance reports available
SOC 2 Type II Report, ISO 27001 2022 Report, ISO 27001 2022 Certificate, Penetration Test Certificate available (typically under NDA) via the trust center.
trust.novu.coData encryption
Trust center lists 'Data encryption utilized' as an active Product security control.
trust.novu.coAccess control
Trust center lists 'Unique account authentication enforced', 'Unique network system authentication enforced', 'Access revoked upon termination' as active Infrastructure security controls.
trust.novu.coPenetration testing
Trust center lists 'Penetration testing performed' as an active Product security control and offers a Penetration Test Certificate.
trust.novu.coBusiness continuity / DR
Trust center lists 'Continuity and Disaster Recovery plans established' and '...tested' as active Internal security procedures controls, plus 'Cybersecurity insurance maintained'.
trust.novu.coSubprocessors
Disclosed subprocessors include Amazon Web Services, GitHub, Intercom, LaunchDarkly (list is longer; trust center shows a partial view).
trust.novu.coVulnerability disclosure
Anonymous security issue submission form provided, plus a dedicated security contact.
trust.novu.coSelf-hosting option
Core product is open source (MIT license) and can be fully self-hosted, giving customers complete control of data storage; separate Hybrid-Cloud offering runs inside customer infrastructure for enterprise.
github.com// Products & data scope
data: Runs entirely within the customer's own infrastructure; customer controls all storage, retention, and access. Vendor certs (SOC 2/ISO 27001) do not directly apply since Novu never touches the data.
MIT-licensed core; enterprise features (SAML SSO, audit logs, etc.) require a commercial license.
data: Customer end-user PII (name, email, phone, etc.) plus workflow/message content passes through Novu-managed infrastructure on AWS; region selectable at signup.
This is the product in scope for the trust center's SOC 2 Type II, ISO 27001, GDPR, and HIPAA claims.
data: Data plane runs in customer's environment; control plane may still touch Novu infrastructure depending on configuration.
Aimed at enterprise customers needing data residency/compliance guarantees beyond standard cloud.
data: Routes AI agent (e.g. Claude Managed Agents) messages to Slack, Email, Discord and other channels; inherits the data handling of whichever Novu deployment (Cloud/Hybrid/self-hosted) it runs on.
No separate AI-training or AI-governance disclosure was found for this feature; treat as same trust boundary as the underlying deployment until Novu publishes AI-specific terms.
// What to watch
- Identity-conflation risk: multiple unrelated companies share very similar names/domains (novu.ai - an unrelated AI chatbot company, novu.digital, novu.com/Icario, novusoftwaregroup.com, novu.nyc). This assessment covers ONLY novu.co (Noti-Fire Apps Ltd., open-source notification infrastructure); do not merge facts from those other domains.
- Certs (SOC 2 Type II, ISO 27001, GDPR, HIPAA) as listed on trust.novu.co apply specifically to Novu Cloud (the managed SaaS); they do not automatically extend to self-hosted or Hybrid-Cloud deployments where the customer runs the infrastructure.
- No explicit AI-training-on-customer-data statement found in the privacy policy or DPA, despite Novu now shipping an AI-agent feature (Novu Connect); flagged as a gap rather than assumed either way.
- Could not confirm whether the DPA is available to all pricing tiers or only enterprise customers; DPA page did not specify tier restrictions.
// At a glance
Pricing model
Freemium: 10K events/month free forever, paid tiers scale with volume; enterprise/Hybrid-Cloud sold separately.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Noti-Fire Apps Ltd. d/b/a Novu's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.novu.co