Security, Handled.
How Nirvani protects data, documents subprocessors, and supports enterprise procurement and security review.
Last updated: July 4, 2026
1. Overview
Nirvani provides AI revenue infrastructure for service businesses: CRM, automation, messaging, voice, booking, payments, and related capabilities. Security is built into how we host, operate, and support the platform.
This Trust Center summarizes our security posture for customers, prospects, and procurement teams. For contractual terms, see our Privacy Policy and Terms & Conditions.
Enterprise review: For security questionnaires, DPAs, or subprocessor detail, email [email protected]. Empire engagements include white-glove procurement support.
2. Controller vs Processor
Nirvani acts in different capacities depending on whose data is processed:
- Controller. For website visitors, prospects, billing contacts, and Nirvani's own business operations, Nirvani is the data controller.
- Processor / Service Provider. For data your organization inputs into the platform or that flows through Nirvani in connection with your customers, leads, and contacts ("Client Data"), Nirvani acts as a processor on your documented instructions.
If you are an end customer of a Nirvani client, contact that business first. Nirvani assists clients in responding to verified privacy requests as required by agreement.
3. Infrastructure
Nirvani runs on hardened cloud infrastructure designed for availability, DDoS protection, and global delivery:
- Cloudflare for edge delivery, WAF, and Pages hosting
- AWS and Google Cloud for core services and storage where applicable
- Anthropic and OpenAI for AI inference in governed workflows
- Stripe for payment processing (card data handled by Stripe, not stored by Nirvani)
Each client organization operates in a dedicated sub-account environment. Your team controls access within that environment.
4. Subprocessors
Nirvani uses vetted subprocessors to deliver the platform. Categories include:
| Category | Purpose | Examples |
|---|---|---|
| Cloud & CDN | Hosting, security, delivery | Cloudflare, AWS, Google Cloud |
| AI inference | Voice, chat, automation intelligence | Anthropic, OpenAI |
| Payments | Card and ACH processing | Stripe |
| Communications | SMS, voice, email delivery | Carrier and messaging providers |
| Analytics & ops | Product reliability and support | Operational tooling under contract |
Enterprise customers may request the current subprocessor list and notification process for material changes.
5. Data Handling
What we process
- Contact records, communication content, call metadata, appointment data, and pipeline activity
- Account and billing information for platform administration
- Configuration data for automations, agents, websites, and integrations
Retention
Client Data is retained according to your agreement and operational needs. Upon contract termination, export and deletion procedures are handled per the data processing terms in your agreement.
Data residency
Primary processing occurs in United States-based infrastructure unless otherwise agreed in an enterprise contract.
6. Encryption
- In transit: TLS for data transmitted between clients, Nirvani, and subprocessors
- At rest: Encryption applied by underlying cloud providers for stored data
- Secrets: API keys and credentials stored using platform secret management, not in client-facing code
7. Access Controls & Audit Logs
Nirvani supports role-based access within your organization. Platform capabilities include:
- User and permission management per sub-account
- Activity logging across logins, configuration changes, and operational events
- Administrative controls for messaging compliance and consent handling
Nirvani personnel access Client Data only when necessary for support, security, or legal obligations, under internal access policies.
8. Compliance Posture
Nirvani is designed for regulated service-business workflows. Posture highlights:
- TCPA / A2P messaging: Built-in consent, opt-in/opt-out, and carrier compliance tooling for SMS and messaging programs
- PCI: Payment card data processed by Stripe; Nirvani does not store raw card numbers
- HIPAA-sensitive workflows: Available for qualified healthcare deployments under a Business Associate Agreement where required. Discuss scope during enterprise onboarding.
- SOC 2 alignment: Nirvani infrastructure is SOC 2-ready in design. Formal attestation roadmap is available on request for enterprise prospects.
We document what is true today and what is available under contract. We do not claim certifications or regulatory status we have not earned.
9. Incident Response
Nirvani maintains procedures to detect, contain, investigate, and remediate security incidents. For incidents affecting Client Data, we notify affected customers according to contractual obligations and applicable law.
Report a security concern to [email protected]. Include affected account, timeline, and impact if known.
10. Enterprise Security Requests
Procurement and IT teams can request:
- Completed security questionnaires (SIG, CAIQ, or custom)
- Data Processing Addendum (DPA)
- Current subprocessor list
- Architecture overview for security review
- HIPAA BAA scoping (where applicable)
Empire enterprise engagements include prioritized review and named security contact coordination.
11. Contact Security
Nirvani Company
16220 N Scottsdale Rd, Suite 300
Scottsdale, AZ 85254