Compliance

Nova is in pre-launch. This page describes controls for the current production user-facing application and server behavior. It does not claim licenses, officers, audits, sanctions-screening programs, or partner authorizations that are not yet published. Questions go to hello@novadao.app.

1. Summary

Nova is built as self-custodial wallet software. Nova does not hold user private keys and cannot move or recover wallet funds. Nova does operate account access, payment integrations, checkout, API, webhooks, abuse prevention, support, and risk review.

This page states the compliance posture Nova currently supports for production users and production service operation. It avoids placeholder claims about unnamed companies, unnamed officers, unpublished licenses, daily sanctions-list refreshes, or third-party audits.

2. Controls Nova currently has

Nova’s current production controls include:

• invite-only signup support;
• disposable-email blocking;
• Cloudflare Turnstile verification when configured;
• same-origin CSRF checks on sensitive auth flows;
• rate limits on public and auth endpoints;
• HIBP Pwned Passwords checks from the browser using only the password hash prefix;
• Argon2id password/auth-secret hashing;
• email verification and password-reset token hashing and expiry;
• TOTP, encrypted TOTP secrets, and hashed backup codes;
• account session limits and HttpOnly cookies;
• API key hashing, idempotency records, per-key usage counters, CORS origin checks, and optional IP/domain allowlists;
• webhook signing and delivery tracking;
• auth risk telemetry for duplicate-account, bot, and credential-stuffing review;
• user messaging, account restrictions, and fraud-review tooling for production accounts.

3. Controls Nova does not claim yet

Nova does not currently claim, based on this repository alone:

• a published operating legal entity for broad public launch;
• a named Data Protection Officer or compliance officer;
• a formal Brazilian representative;
• bank, broker, exchange, VASP, payment-institution, or investment licenses held by Nova;
• independent security audit, SOC report, ISO certification, PCI certification, or annual transparency report;
• KYC performed directly by Nova;
• daily sanctions-list refresh infrastructure;
• Google, Meta, TikTok, or similar analytics/advertising integrations.

These items should be added to this page only after they are actually in force and supportable.

4. Payment and DePix dependency

PIX and DePix flows depend on third-party payment providers, including Eulen/DePix where enabled. Nova records operational metadata for deposits and withdrawals so the app can show status, reconcile payments, provide support, and investigate abuse.

Any regulated payment, KYC, AML, chargeback, reversal, or reporting duty handled by a provider remains subject to that provider’s own terms, policies, licenses, and legal obligations.

5. Abuse and fraud review

Nova can review signals such as repeated failed logins, signup velocity, disposable email use, suspicious invite patterns, shared device fingerprints, shared IP patterns, paste-heavy or inhuman form behavior, payment-link abuse, deposit bursts, webhook/API abuse, and repeated low-conversion payment activity.

These controls are used to protect users and the service. They may result in rate limits, lockouts, additional review, feature limits, blocked API traffic, or account restrictions. Users can request review by emailing hello@novadao.app.

6. Public blockchains and self-custody

Liquid network transactions are public or visible to network participants and explorers according to the network’s design. Nova may query explorers with addresses or scriptPubKeys and may broadcast raw transaction hex, but Nova does not hold the signing keys.

If Nova receives a legal request to move, freeze, or recover on-chain funds, Nova can only act within its technical control. It cannot sign a transaction without the user’s wallet keys.

7. Authorities and legal requests

Nova reviews legal requests before disclosing data. When a request is valid and within Nova’s control, Nova may disclose account, payment, API, webhook, risk, session, support, or audit records. Nova may preserve records when legally required.

Nova may not notify a user when notice is prohibited, would create a security risk, or would interfere with an investigation. Otherwise, Nova aims to be transparent where lawful and practical.

8. Security incidents

Nova’s incident response should follow applicable law, including LGPD requirements for incidents involving personal data of people in Brazil. The ANPD currently instructs controllers to notify the ANPD and affected holders within three business days when an incident may create relevant risk or damage, unless a specific law sets another period.

9. Contact

Report abuse, security concerns, legal requests, privacy requests, or compliance questions to hello@novadao.app.