Security
Security at Nerava
How we protect driver data and partner integrations.
Data Security in Transit and at Rest
- All connections use HTTPS with TLS 1.2 or higher. Unencrypted HTTP requests are redirected.
- Data at rest is encrypted using AES-256 via AWS-managed encryption keys.
- Security headers enforced on all responses: HSTS (max-age 2 years), X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff, and XSS protection.
- Secrets and credentials are stored in AWS Secrets Manager, never in application code or environment files.
Authentication and Authorization
- Vehicle integrations use OAuth 2.0 through Tesla Fleet API and Smartcar. Nerava never stores vehicle owner passwords.
- Partner API keys use SHA-256 hashed storage with HMAC verification. Keys can be rotated without downtime.
- Internal access follows the principle of least privilege. Role-based access controls separate driver, merchant, admin, and partner permissions.
Consent and Data Flow
- Drivers provide explicit consent before any vehicle data is accessed. Vehicle connections require active OAuth authorization by the vehicle owner.
- Consent is session-level and revocable. Drivers can disconnect their vehicle or delete their account at any time, which immediately stops all data collection.
- No passive telemetry collection. Nerava only accesses vehicle data when a driver has an active session or has explicitly connected their vehicle.
Compliance Roadmap
| Certification | Target | Status |
|---|---|---|
| SOC 2 Type 1 | Q3 2026 | Planning |
| SOC 2 Type 2 | Q2 2027 | Planned |
| CCPA Compliant Practices | Current | Active |
| GDPR Compliant Practices | Current | Active |
| ISO 27001 | Under evaluation | Evaluating |
Responsible Disclosure
If you discover a security vulnerability in Nerava, we want to hear about it. Please report it responsibly.
Report a vulnerability
Email security@nerava.network with details of the issue. Include steps to reproduce if possible.
We respond to all security reports within 48 hours.