Trust Center

Security, Handled.

How Nirvani protects data, documents subprocessors, and supports enterprise procurement and security review.

Last updated: July 4, 2026

1. Overview

Nirvani provides AI revenue infrastructure for service businesses: CRM, automation, messaging, voice, booking, payments, and related capabilities. Security is built into how we host, operate, and support the platform.

This Trust Center summarizes our security posture for customers, prospects, and procurement teams. For contractual terms, see our Privacy Policy and Terms & Conditions.

Enterprise review: For security questionnaires, DPAs, or subprocessor detail, email [email protected]. Empire engagements include white-glove procurement support.

2. Controller vs Processor

Nirvani acts in different capacities depending on whose data is processed:

  • Controller. For website visitors, prospects, billing contacts, and Nirvani's own business operations, Nirvani is the data controller.
  • Processor / Service Provider. For data your organization inputs into the platform or that flows through Nirvani in connection with your customers, leads, and contacts ("Client Data"), Nirvani acts as a processor on your documented instructions.

If you are an end customer of a Nirvani client, contact that business first. Nirvani assists clients in responding to verified privacy requests as required by agreement.

3. Infrastructure

Nirvani runs on hardened cloud infrastructure designed for availability, DDoS protection, and global delivery:

  • Cloudflare for edge delivery, WAF, and Pages hosting
  • AWS and Google Cloud for core services and storage where applicable
  • Anthropic and OpenAI for AI inference in governed workflows
  • Stripe for payment processing (card data handled by Stripe, not stored by Nirvani)

Each client organization operates in a dedicated sub-account environment. Your team controls access within that environment.

4. Subprocessors

Nirvani uses vetted subprocessors to deliver the platform. Categories include:

CategoryPurposeExamples
Cloud & CDNHosting, security, deliveryCloudflare, AWS, Google Cloud
AI inferenceVoice, chat, automation intelligenceAnthropic, OpenAI
PaymentsCard and ACH processingStripe
CommunicationsSMS, voice, email deliveryCarrier and messaging providers
Analytics & opsProduct reliability and supportOperational tooling under contract

Enterprise customers may request the current subprocessor list and notification process for material changes.

5. Data Handling

What we process

  • Contact records, communication content, call metadata, appointment data, and pipeline activity
  • Account and billing information for platform administration
  • Configuration data for automations, agents, websites, and integrations

Retention

Client Data is retained according to your agreement and operational needs. Upon contract termination, export and deletion procedures are handled per the data processing terms in your agreement.

Data residency

Primary processing occurs in United States-based infrastructure unless otherwise agreed in an enterprise contract.

6. Encryption

  • In transit: TLS for data transmitted between clients, Nirvani, and subprocessors
  • At rest: Encryption applied by underlying cloud providers for stored data
  • Secrets: API keys and credentials stored using platform secret management, not in client-facing code

7. Access Controls & Audit Logs

Nirvani supports role-based access within your organization. Platform capabilities include:

  • User and permission management per sub-account
  • Activity logging across logins, configuration changes, and operational events
  • Administrative controls for messaging compliance and consent handling

Nirvani personnel access Client Data only when necessary for support, security, or legal obligations, under internal access policies.

8. Compliance Posture

Nirvani is designed for regulated service-business workflows. Posture highlights:

  • TCPA / A2P messaging: Built-in consent, opt-in/opt-out, and carrier compliance tooling for SMS and messaging programs
  • PCI: Payment card data processed by Stripe; Nirvani does not store raw card numbers
  • HIPAA-sensitive workflows: Available for qualified healthcare deployments under a Business Associate Agreement where required. Discuss scope during enterprise onboarding.
  • SOC 2 alignment: Nirvani infrastructure is SOC 2-ready in design. Formal attestation roadmap is available on request for enterprise prospects.

We document what is true today and what is available under contract. We do not claim certifications or regulatory status we have not earned.

9. Incident Response

Nirvani maintains procedures to detect, contain, investigate, and remediate security incidents. For incidents affecting Client Data, we notify affected customers according to contractual obligations and applicable law.

Report a security concern to [email protected]. Include affected account, timeline, and impact if known.

10. Enterprise Security Requests

Procurement and IT teams can request:

  • Completed security questionnaires (SIG, CAIQ, or custom)
  • Data Processing Addendum (DPA)
  • Current subprocessor list
  • Architecture overview for security review
  • HIPAA BAA scoping (where applicable)

Empire enterprise engagements include prioritized review and named security contact coordination.

11. Contact Security

Nirvani Company
16220 N Scottsdale Rd, Suite 300
Scottsdale, AZ 85254

[email protected] · [email protected]

Enterprise overview · Privacy Policy