Security and Compliance

Introduction

Nivo is purpose built for UK financial services firms that need to exchange sensitive information with absolute confidence. Our platform combines bank grade encryption, a rigorously audited information security management system, and a transparent AI governance framework. The result is a secure, compliant environment for every broker, lender and customer interaction—whether you're sending a message, gathering KYC evidence or automating tasks with our new AI services.

Security & Compliance at a Glance

End to end encrypted messaging, document exchange and task automation

Hosted exclusively in AWS EU West 1 (Ireland) for guaranteed EEA data residency

100+ regulated lenders, building societies and broker networks already live on Nivo

Immutable audit trail for every message, file, identity check and AI action

Certifications & Independent Assurance

Certification

Scope

Status

ISO 27001

Information security management system

Certified

Cyber Essentials Plus

UK Government cyber security baseline

2 minute form & NDA

FSQS

Financial Services Supplier Qualification System

Registered

DIATF

Digital Identity & Attributes Trust Framework – Identity Orchestrator

Certified

ISO/IEC 42001

AI management system

In progress

Regular CREST aligned penetration tests are performed, and clients may conduct their own tests at any time.

Data Residency & Hosting Architecture

All traffic terminates at EU endpoints; data never leaves the EEA.
Dedicated AWS VPC with three availability zones delivers 99.99% uptime.
Every client operates in a logically segregated instance for strict tenancy isolation.

Encryption & Secure Data Handling

Layer

Control

In transit

TLS 1.2+ across all external and internal channels

At rest

AES 256 encryption on every datastore

Message content

Extra per tenant keys provide end to end message security

Back ups

Encrypted, multi zone replicas with least privilege access

Identity, Authentication & Access Control

Customers: Device registration + PIN or biometrics, with optional biometric ID&V.

Staff & Brokers: SSO (OIDC/SAML), MFA, IP whitelisting and granular role based access.

Every action is linked to a verified identity and stored on an immutable audit trail.

Responsible AI Governance

Governed by a published AI Policy aligned to ISO/IEC 42001 principles (certification underway).
AI layer automates administrative tasks— not credit decisioning—keeping humans in the loop.
Enterprise LLM contracts (Google Gemini Enterprise, OpenAI Enterprise) guarantee that no client data is ever used to train underlying models.
All AI calls route via EU endpoints; outputs, prompts and function calls are captured in the audit trail.

Supplier & Sub Processor Management

Full sub processor register published; all vendors bound by GDPR compliant terms with explicit "no model training" clauses.
Onboarding reviews cover security posture, privacy controls, modern slavery and ESG criteria.

Continuous Monitoring, Testing & Incident Response

24 × 7 monitoring with AWS GuardDuty, CloudWatch and AWS Inspector.
Automated testing via CI/CD pipelines.
Formal incident response and patch management processes under ISO 27001.

‍

Frequently Asked Due Diligence Points

Where is my data stored?

Solely in AWS EU West 1 (Ireland).

What encryption is used?

TLS 1.2+ in transit; AES 256 at rest; per tenant keys for messages.

Do you support SSO & MFA?

Yes—OIDC/SAML plus MFA and optional IP restrictions.

Pen tests?

Independent, CREST aligned tests every year (reports available under NDA).

GDPR & DPIA support?

Built in DPO oversight, template DPIAs and GDPR ready contracts.

How is AI controlled?

ISO 42001 aligned policy, enterprise LLM contracts with no data training, human oversight and full auditability.