Security
The trust pack —signed, dated, and downloadable.
Procurement, IT, and compliance get the documents they need without a sales detour. The diligence work is already done.
The pack
Everything your reviewer asks for — and a few they don't.
HIPAA BAA
Available on request, signed before any PHI flows through the platform.
SOC 2 Type II
Audit in progress with a Big Four firm. Type II report distributed under NDA on completion.
Pen-test summary
Annual external penetration test by an OSCP-certified red team. Executive summary on request.
Sub-processor list
Live list of every vendor that touches your data, with a notification feed for any change.
Data flow diagram
A one-page diagram of how data moves from intake to CMS, with retention and residency annotations.
DPA template
Standard data processing agreement aligned to GDPR Art. 28 and CCPA service-provider terms.
Principles
The non-negotiables behind every release.
Least privilege
No human at Nofal has standing access to customer data. Just-in-time approvals only.
Encryption everywhere
AES-256 at rest, TLS 1.3 in transit, per-tenant key wrapping.
Audit log retention
Every access, every change, every AI inference — logged and retainable for compliance.
Regional residency
US-only by default. EU residency available on request.