VernoviVernovi

Privacy Policy

Last updated May 15, 2026

Introduction

Vernovi (“we,” “us,” or “our”) provides a compliance management platform that helps organizations track their cybersecurity controls and pull evidence from the cloud services they use. This policy explains what information we collect, why we collect it, how we store it, and your rights regarding your data.

Data we collect

When you connect a service to Vernovi, we collect data on your behalf based on the specific connection method you choose:

From Google Workspace (Admin SDK Directory API + Reports API)

When you grant Vernovi access to your Google Workspace, we read read-only data via Google's official APIs. We only read data covered by the OAuth scopes you explicitly approved during the consent flow:

  • User directory (admin.directory.user.readonly): user accounts, primary emails, 2-Step Verification enrollment status, admin status, suspension status, organizational unit assignment.
  • Groups and members (admin.directory.group.readonly, admin.directory.group.member.readonly): group names, group members.
  • Organizational units (admin.directory.orgunit.readonly): the org unit tree structure.
  • Domains (admin.directory.domain.readonly): the list of domains in your Workspace and which is primary.
  • Admin audit logs (admin.reports.audit.readonly): records of administrative actions taken in your Workspace (user lifecycle events, role assignments, OAuth grants, etc.).
  • Account identity (openid, userinfo.email): the email of the administrator who granted consent — used only to identify the connection in your Vernovi dashboard.

We do not request scopes that would let us read message bodies (Gmail), document content (Drive), calendar events, or chat messages. We have no ability to make changes to your Workspace.

From other connected services

We collect equivalent compliance-relevant metadata (audit logs, IAM configuration, resource configuration) from any other service you connect, such as AWS or Google Cloud, via that service's official APIs and with explicit credentials or consent you provide.

From your use of Vernovi itself

Standard product-usage data — your name, email, organization, session information, and the in-app actions you perform.

Why we collect this data

We collect this data only to provide the compliance management features you use Vernovi for: tracking control implementation, gathering evidence, generating compliance reports, and surfacing risks. We do not sell your data, share it with advertisers, or use it for any purpose other than delivering the service you signed up for.

How we store and protect it

  • Credentials (refresh tokens, service account keys, API keys) are encrypted at rest using AES-256-GCM, an authenticated encryption standard equivalent to that used by financial institutions and government systems. The encryption key is held separately from the encrypted data.
  • Application data is stored in encrypted databases hosted with reputable cloud providers in regions consistent with your data-residency expectations.
  • Network traffic is encrypted in transit using TLS 1.2 or higher.
  • Access to your data within Vernovi is restricted to authorized employees on a need-to-know basis and logged for audit.

Data retention and deletion

  • While your account is active: we retain your data as long as you use Vernovi.
  • When you disconnect an integration: we delete the stored connection record. For OAuth-based integrations (such as Google Workspace), we additionally call the provider's revocation endpoint so the access is revoked on their side as well.
  • When you cancel your account: we delete your account data within 30 days, except where retention is required to comply with legal obligations (e.g. tax records).
  • Audit logs of access to your data within Vernovi: retained for one year for security forensics.

Your rights

You can, at any time:

  • View what we have access to in your Vernovi dashboard.
  • Disconnect any connected service from inside Vernovi. For Google Workspace integrations, you can also revoke our access independently from your Google Account at https://myaccount.google.com/permissions.
  • Request a copy of all data we hold about you and your organization.
  • Request deletion of your account and all associated data.

To exercise any of these rights, email us at privacy@vernovi.io.

Compliance with Google API Services User Data Policy

Vernovi's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we affirm that data obtained from Google Workspace APIs is:

  • Used only to provide and improve the user-facing features of Vernovi that are prominent in our application's user interface.
  • Never transferred to third parties except as necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets.
  • Never used to serve advertisements, including retargeted or interest-based advertising.
  • Never read by humans except (a) with your affirmative agreement, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to all account holders at least 14 days before they take effect. The “Last updated” date above always reflects the current version.

Contact

For privacy-related inquiries, contact us at privacy@vernovi.io.

For other inquiries, see https://vernovi.io.